Introducing Shibboleth

Similar documents
Federated Identity Management. Willem Elbers (MPI-TLA) EUDAT training

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Federated Identity Management Solutions

Integration of Shibboleth and (Web) Applications

Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, November 2009 Joost van Dijk - SURFnet

Implementation Guide SAP NetWeaver Identity Management Identity Provider

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

IBM WebSphere Application Server

Extending DigiD to the Private Sector (DigiD-2)

Enabling SAML for Dynamic Identity Federation Management

SAML Security Option White Paper

Federated Identity Management

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Shibboleth Identity Provider (IdP) Sebastian Rieger

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

SAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun

SAML-Based SSO Solution

Authentication and Single Sign On

SAML Single-Sign-On (SSO)

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

SAML-Based SSO Solution

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

SAML Profile for Privacy-enhanced Federated Identity Management

Software Design Document SAMLv2 IDP Proxying

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

SAML Authentication within Secret Server

Feide Technical Guide. Technical details for integrating a service into Feide

SAML Federated Identity at OASIS

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

How To Use Saml 2.0 Single Sign On With Qualysguard

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

How to create a SP and a IDP which are visible across tenant space via Config files in IS

Lecture Notes for Advanced Web Security 2015

National Identity Exchange Federation. Web Browser User-to-System Profile. Version 1.0

Web Based Single Sign-On and Access Control

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide

TIB 2.0 Administration Functions Overview

Authentication Methods

IAM Application Integration Guide

Single Sign-On Implementation Guide

How Single-Sign-On Improves The Usability Of Protected Services For Geospatial Data

Evaluation of different Open Source Identity management Systems

OIOSAML 2.0 Toolkits Test results May 2009

Federated Identity Management

Federating with Web Applications

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

MONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY. ASR 2006/2007 Final Project. Supervisers: Maryline Maknavicius-Laurent, Guy Bernard

Identity Assurance Hub Service SAML 2.0 Profile v1.2a

OpenID and identity management in consumer services on the Internet

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

Agenda. How to configure

Security Assertion Markup Language (SAML) 2.0 Technical Overview

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Web Single Sign-On Authentication using SAML

Single Sign on Using SAML

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

Connecting Web and Kerberos Single Sign On

Negotiating Trust in Identity Metasystem

Spring Security SAML module

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

A Federated Authorization and Authentication Infrastructure for Unified Single Sign On

PARTNER INTEGRATION GUIDE. Edition 1.0

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Copyright: WhosOnLocation Limited

Single Logout. TF-EMC Vienna 17 th February Kristóf Bajnok NIIF Institute

Flexible Identity Federation

An SAML Based SSO Architecture for Secure Data Exchange between User and OSS

Security As A Service Leveraged by Apache Projects. Oliver Wulff, Talend

Toward campus portal with shibboleth middleware

Shibboleth Authentication. Information Systems & Computing Identity and Access Management May 23, 2014

Using SAML for Single Sign-On in the SOA Software Platform

CONFIGURATION GUIDE WITH MICROSOFT ACTIVE DIRECTORY FEDERATION SERVER

Getting Started with AD/LDAP SSO

IGI Portal architecture and interaction with a CA- online

T his feature is add-on service available to Enterprise accounts.

Single Sign-On Implementation Guide

Get Cloud Ready: Secure Access to Google Apps and Other SaaS Applications

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Biometric Single Sign-on using SAML

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

Securing Web Services With SAML

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

USING ESPRESSO [ESTABLISHING SUGGESTED PRACTICES REGARDING SINGLE SIGN ON] TO STREAMLINE ACCESS

Securing Splunk with Single Sign On & SAML

Standalone SAML Attribute Authority With Shibboleth

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

Single Sign-On: Reviewing the Field

Transcription:

workshop Introducing Shibboleth MPG-AAI Workshop Clarin Centers Prague 2009 2009-11-06

MPG-AAI MPG-AAI a MPG-wide Authentication & Authorization Infrastructure for access control to web-based resources using Shibboleth Framework plus own extensions What is it about Why MPG-AAI What is Shibboleth How does is work? 2

Authentication Authentication is about Identity - who am I and Trust - how can I prove it Real Wold Analogies electronic ID card your passport prove it's yours photo, biometric data... trust the issuer 3

Authorization Authorization is about Roles - What am I and Rights - what am I entitled to do therefore and Trust again who says so Real Wold Analogies: Going to the Movies your Role: moviegoer your Rights: watch the film proved by your obtained ticket issued by the cinema box office 4

IP (-Range) based Authorization IP based means Where are you from weak compensation for the central questions who are you & what are you allowed to do leads to jungle in network structure Uni Groups at MPG Campus or vice versa Spin-Off Companies on MPG Campus (while most contracts are for non-commercial use only) Subnets must be segregated changes are not notified overlaps not reflected hard to maintain error prone 5

Certificates reliable, very good concerning Trust, but hard to obtain (require PKI, show your ID) mainly intended for authentication relatively static (changes in user roles require a new certificate) Usability many users can't cope with certificates 6

Access Control at Service Level Allows fine grained access control based on Roles & Rights No (false) assumptions about locality of users Flexible and good to maintain (direct control) Problems (too) huge user space each application has its own Identity Management (IDM) Central Identity Management single point of failure hard to maintain (changes not notified etc.) Solution: Federated Approach - MPG-AAI with Shibboleth 7

Shibboleth AAI Middleware A shibboleth is a custom, phrase or use of language that acts as a test of belonging to a particular social group or class. By definition, it is used to exclude those deemed unsuitable to join this group. - Control by Division and Segregation. Shibboleth - A Federal Authentication & Authorization Middleware in a Distributed Environment Doris Salcedo, "Shibboleth", 2007, Installation at Tate Modern, London (Foto: Tate Modern) 8

What is Shibboleth for? Authentication federated Single Sign On (web browser) exploiting existing local authentication system Authorization attribute based access control in a distributed environment decoupled service protection from identity management no domain- or security-realm boundaries ( Internet Technology ) based on Security Assertion Markup Language (SAML) sophisticated abstraction of use-cases to support several communication profiles for exchanging security information Encryption & Signing by x.509 certificates 9

Components Service Provider (SP) ensure login request attributes access control Identity Provider (IdP) authentication & SSO provide attributes Discovery Service (DS) resolve users home site their hosting Identity Provider Attributes, SAML & Assertions exchange security information Federation through Metadata declare involved entities and communication endpoints 10

Flow Chart (simple) switch.ch 11

Flow Chart switch.ch 12

How it works... User requests a protected resource from a Service Provider Service Provider selects session initialization based on protection configuration decides which IdP or DS to use decides which communication profile to use redirects user to destined IdP or DS, respectively Discovery Service user selects his home site, his hosting IdP DS sets a cookie ('_saml_idp') with chosen IdP information and directs the requesting SP to the destined IdP (SSO Service) using redirects and said cookie 13

...how it works Identity Provider SSO-Service checks requests and in case redirects to configured LoginHandler SSO-Service authenticates user using existing IDM at the hosting site Attribute-Authority resolves attributes filters attribute according to release policy posts SAML assertions with authentication- & attribute-statement via an auto-submit post form to requesting SP Service Provider processes the posted SAML assertions retrieves attributes, mapping to httpd variables, filtering due to policy redirect to originally requested resource access control decision (mod_shib) based on access-rules & provided attributes attribute push 14

The MPG-AAI Federation

IdP-Proxy Connects MPG-AAI Federation with other Federations like DFN-AAI Proxy mechanism allows "delegated" authentication to other IdPs other Identity-Management-Services (IDM) like LDAP, databases etc... all retrieved SAML assertions are signed by the IdP(-Proxy) and provided to the requesting SP other Federations or external SPs need to maintain just this IdP as single relying-party Attributes might be further filtered or adapted by the IdP-proxy at the crossover to other federations (DFN-AAI) 17

IP/Web-Proxy Bridge between the MPG-AAI Federation and external Service Providers who don't have a Shibboleth interface and who's authorization is based on IP-addresses/ranges. maps users' institute to specific IP-address solves traveling scientist problem enables users to access such IP-protected service providers from remote locations (field-trip, from home,...) 18

Central Services Layout

Attributes basically simple string key-values pairs distributed architecture requires naming convention for exchanged attributes URIs as attribute names for uniqueness and namespace control leverage existing LDAP object class identifier urn:oid: e.g. "urn:oid:1.3.6.1.4.1.5923.1.1.1.7" use/register your own urn namespace urn:mace:, urn:geant: e.g. "urn:mace:dir:attribute-def:edupersonentitlement" create own URLs e.g. "https://myfederation.org/attributes/myownattbname" 20

Security Assertion Markup Language XML standard by OASIS for exchange of authentication & authorization information Short History SAML 1.0 as OASIS Standard in November 2002 SAML 1.1 as OASIS Standard in September 2003 SAML 2.0 as OASIS Standard in March 2005 SAML and Shibboleth SAML 1.1 implemented in Shibboleth 1.x SAML 2.0 implemented in Shibboleth 2.x (rel. March 2008) Compatibility SAML 2.0 substantially different to SAML 1.1 https://spaces.internet2.edu/display/shib/samldiffs Shibboleth 2.x is fully downward compatible to Shibboleth 1.3.x / SAML 1.1 21

SAML Components Stack Profiles use cases - specify how assertions, protocols & bindings combine to handle concrete use cases Bindings how - map SAML protocols to actual message/communication protocols Protocols what - specify elements of SAML assertion request/response pairs Assertions bare xml - package of security information IdP Discovery, Web-Browser SSO, SLO... Http-POST, SAML SOAP... Authn.Request, Assertion Query... Issuer, Subject... 22

Federation & Metadata Federation through metadata requires schema definition (policy) requires Discovery Service Metadata define participating entities define communication endpoints, SAML profile bindings certificates/public keys for encryption & signing 23

Metadata Identity Provider MD Service Provider MD EntityID IDPSSODescriptor ArtifactResolutionService NameIDFormat SingleSignOnService KeyDescriptor, Certificate AttributeAuthorityDescriptor AttributeService KeyDescriptor, Certificate EntityID SPSSODescriptor AssertionConsumerService ManageNameIDService SingleLogOut KeyDescriptor, Certificate Extension: DiscoveryResponse Sample Metadata 24

Shibboleth 2 Shibboleth 2.0 released March 2008 uses SAML 2.0, compatible to SAML 1.1 fully downward compatible to 1.3.x using attribute-push model usage of LDAP object class identifier (urn:oid:" namespace) as (default) attributes names Shibboleth 1.3.x announced for end-of-life by June 30, 2010 25

Thanks & Discussion Questions, Discussion... - Thank You for Your Attention - 26

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information