Design and Implementation of Web Forward Proxy with



Similar documents
Authentication Methods

Configuring Single Sign-on for WebVPN

Perceptive Experience Single Sign-On Solutions

SAML-Based SSO Solution

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11

PARTNER INTEGRATION GUIDE. Edition 1.0

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

Joining a Meeting. Before You Join a Meeting

Apache Server Implementation Guide

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

ShoreTel Advanced Applications Web Utilities

Agenda. How to configure

User Guide. The AMF's File Transfer Service (FTS)

Kerberos and Single Sign-On with HTTP

Blue Coat Security First Steps Solution for Integrating Authentication

Flexible Identity Federation

Kerberos and Single Sign On with HTTP

Download and Launch Instructions for WLC Client App Program

Internet Banking System Web Application Penetration Test Report

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

SonicWALL SSL VPN 3.0 HTTP(S) Reverse Proxy Support

Table of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3

CentraSite SSO with Trusted Reverse Proxy

Lecture 11 Web Application Security (part 1)

Configuring. Moodle. Chapter 82

WebNow Single Sign-On Solutions

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

This section includes troubleshooting topics about single sign-on (SSO) issues.

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

What is the Barracuda SSL VPN Server Agent?

LBSEC.

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

Please evaluate this documentation on the following site:

TROUBLESHOOTING RSA ACCESS MANAGER SINGLE SIGN-ON FOR WEB-BASED APPLICATIONS

ez Agent Administrator s Guide

SAML single sign-on configuration overview

Federated Access to an HTTP Web Service Using Apache (WSTIERIA Project Technical Note 1)

An introduction of several development activities related to Shibboleth and Web browser-based simple PKI

How To Sync Google Drive On A Mac Computer With A Gmail Account On A Gcd (For A Student) On A Pc Or Mac Or Mac (For An Older Person) On An Ipad Or Ipad (For Older People) On

VMware Identity Manager Connector Installation and Configuration

Single Sign-On for the UQ Web

Access Gateway Guide Access Manager 4.0 SP1

Gateway Apps - Security Summary SECURITY SUMMARY

Citrix Access on SonicWALL SSL VPN

Setup Guide Access Manager 3.2 SP3

SAML 2.0 SSO Deployment with Okta

Proxies. Chapter 4. Network & Security Gildas Avoine

ProxyCap Help. Table of contents. Configuring ProxyCap Proxy Labs

2 Downloading Access Manager 3.1 SP4 IR1

Reverse Proxy Guide. Version 2.0 April 2016

Collax Web Security. Howto. This howto describes the setup of a Web proxy server as Web content filter.

Microsoft Dynamics CRM Server 2011 software requirements

SSL VPN Server Guide. Access Manager 3.2 SP2. June 2013

FERMILAB CENTRAL WEB HOSTING SINGLE SIGN ON (SSO) ON CWS LINUX WITH SAML AND MOD_AUTH_MELLON

Adobe Marketing Cloud Bloodhound for Mac 3.0

Startup guide for Zimonitor

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

How To Use Saml 2.0 Single Sign On With Qualysguard

How To Use Netiq Access Manager (Netiq) On A Pc Or Mac Or Macbook Or Macode (For Pc Or Ipad) On Your Computer Or Ipa (For Mac) On An Ip

How to configure your Windows PC post migrating to Microsoft Office 365

Interwise Connect. Working with Reverse Proxy Version 7.x

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Change Advanced Proxy Server Configuration Settings

Authentication and Single Sign On

1. Introduction 2. Getting Started 3. Scenario 1 - Non-Replicated Cluster 4. Scenario 2 - Replicated Cluster 5. Conclusion

SAML Single-Sign-On (SSO)

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

Cyber Security Workshop Ethical Web Hacking

Configuring Clientless SSL VPN

Apache Tomcat & Reverse Proxies

SSL VPN Server Guide Access Manager 3.1 SP5 January 2013

ADFS Integration Guidelines

Web Application Proxy

Installation Procedure SSL Certificates in IIS 7

Novell Access Manager

TIBCO Spotfire Platform IT Brief

Egnyte Single Sign-On (SSO) Installation for OneLogin

M86 Web Filter USER GUIDE for M86 Mobile Security Client. Software Version: Document Version:

Configuring Clientless SSL VPN

isupplier PORTAL ACCESS SYSTEM REQUIREMENTS

Configuring the BIG-IP APM as a SAML 2.0 Identity Provider for Microsoft Office 365

SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS

Deploying RSA ClearTrust with the FirePass controller

The course will be run on a Linux platform, but it is suitable for all UNIX based deployments.

Cleaning Encrypted Traffic

How to set up Outlook Anywhere on your home system

The LRS File Transfer Service offers a way to send and receive files in a secured environment

Fairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG R001.

Logout Support on SP and Application

Connected Data. Connected Data requirements for SSO

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Single Logout. TF-EMC Vienna 17 th February Kristóf Bajnok NIIF Institute

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

Crawl Proxy Installation and Configuration Guide

Introduction to Mobile Access Gateway Installation

Transcription:

Design and Implementation of Web Forward Proxy with Shibboleth Authentication KOMURA Takaaki SANO Hiroaki Kyoto University Kyoto University Library DEMIZU Noritoshi OCTOPATH corporation MAKIMURA Ken OCTOPATH corporation SAINT 2011 WS (MidArch) @ Munich 2011/07/21

Contents Proposal Overview Background Proposal Details Implementation and Evaluations 2

Proposal Overview Shibboleth Authentication introduced into proxy authentication scheme (Proxy Auth) (2) Authentication by IdP (1) Try to access via Proxy Shibboleth IdP (Identify Provider) (3) Access via Proxy (4) Proxy relay request Web Browser Forward dproxy Shibboleth SP (Service Provider) Web Server 3

BACKGROUND 4

Necessity of Proxy and Proxy Auth Three reasons Gateway from private network to the Internet Rapid incident response Keep track of access statistics for E Journal (EJ) sites License fee of EJ will be charged for departments depending on the number of downloading papers Forward Proxy for EJ has been installed in our university since 2006 5

Forward Proxy Browser Forward Proxy Web Server GET http://example.com/doc http://example.com GET http://example.com/doc 200 OK 200 OK 6

Authentication to use Forward Proxy Browser Forward Proxy Web Server GET http://example.com/doc http://example.com 407 Proxy Auth Required Proxy-Authenticate: Basic realm="xxxxxx" re epeat GET http://example.com/doc Proxy-Authorization: Basic BASE64ENC== 200 OK GET http://example.com/doc 200 OK 7

Problems of Existing Proxy Auth BASIC SCAuthentication i User ID and password travel in plain text across the network Digest Authentication The proxy needs Users raw password => Security risk is increased No method exists to distinguish proxy is real or fake ID and password might be exploited by fake proxy 8

Purpose and Proposal Purpose More secure Proxy Auth for users and administrators No modification on web browsers Modifications or plugins are unsuited to practical use Proposal Shibboleth Authentication capablecapable forward proxy 9

PROPOSAL DETAILS 10

Basic Idea Browser IdP (Identity Provider) Proxy as a SP (Service Provider) Web Server GET http://example.com/doc Auth Request (ID & password) Auth OK 302 HTTP redirect http://example.com Set-Cookie: LH741Q Issue session cookie repeat GET http://example.com/doc /d Cookie: LH741Q 200 OK Check session cookie and relay remaining requests GET http://example.com/doc 200 OK 11

Session Cookie Restriction Browsers send only the cookies which issued by the web server itself The proxy must pretend the web server when the cookies issue (Set Cookie) The proxy must issue new cookies whenever browser access to new web servers. Single Sign On scheme of Shibboleth could avoid bothering for a lot of re authentications 12

Ordinary Shibboleth Auth Flow Browser IdP SP GET http://example.com/doc/ POST ID and password SP endpoint POST https://example.com/shibboleth.sso/saml2/ Set-Cookie: LH741Q repeat GET http://example.com/doc/ Cookie: LH741Q 13

Browser Proposed Auth Flow IdP Forward Proxy Web Server GET http://example.com/doc/ GET https://proxy.net/shibboleth.sso/proxy/ Proxy SP module module https://proxy.net http://example.com POST https://proxy.net/shibboleth.sso/saml2/ GET http://example.com/shibboleth.sso/proxy/ Set-Cookie: LH741Q repe eat GET http://example.com/doc/ Cookie: LH741Q GET http://example.com/doc/ 14

The Role of New Endpoints Web Server Browser IdP Gather requests to all EJ sites into only one hostname to reduce patterns of SP metadata. proxy.net is registered as the SP in this example. GET http://example.com/doc/ GET https://proxy.net/shibboleth.sso/proxy/ Forward Proxy Proxy SP module module https://proxy.net http://example.com POST https://proxy.net/shibboleth.sso/saml2/ GET http://example.com/shibboleth.sso/proxy/ Set-Cookie: LH741Q repe eat GET http://example.com/doc/ Cookie: LH741Q GET http://example.com/doc/ To cope with session cookie restriction The forward proxy pretends the web server when session cookies is issued (Set Cookie) 15

IMPLEMENTATION AND EVALUATIONS 16

Implementation Shibboleth auth capable forward proxy (shibproxy) based on Shibboleth SP 2.4.2 880 lines modification (diff u style) supports new endpoints Apache 2.2.172 Not modified mod_proxy for forward proxy mod_rewrite for redirection to the new endpoints 17

Experiments and Results Prepare PAC file which hdirects browser to shibproxy for restricted access EJ sites University s official anonymous forward proxy for other sites PAC: Proxy Auto Configuration written in JavaScript Visit several EJ sites by 5 popular browsers IE8, Safari, Firefox, Opera and Chrome shibproxy work well User can access EJ sites through shibproxy Authentication is required only once Single Sign On for ordinary SPs work well 18

Some Problems and Solutions Third party cookie problems Some EJ sites use multiple host name eg e.g. www.example.com and portal.example.com (sibling servers under example.com) Send Set Cookie header with domain=.exmaple.com attribute No cookie is sent for some requests favicon.ico i OpenSearch pass through the requestswhose URLmatches regular expression (e.g. /favicom w*.ico$/ ) 19

Future Work Support HTTPS Our proposal can not support HTTPS Shibproxy can not intercept cookies in HTTPS session Reverse Proxy, wildcard certification or modification i protocol Hybrid Proxy (forward proxy + reverse proxy) HTTP forward proxy HTTPS reverse proxy Both can run on one host Both support Shibboleth SSO authentication 20

Conclusion Shibboleth capable bl forward proxy We will use the proxy to access to E Journal sites Theproxy pretendsthethe web server whencookies issue Some problems and solutions Third party cookie add domain attribute No cookie is sent for some resources pass thorough them specified by REGEXP Future work Hybrid forward reverse proxy for both HTTP and HTTPS 21

HTTPS Through Forward Proxy Browser Forward Proxy Web Server CONNECT example.com:443 http://example.com SSL encrypted GET http://example.com/doc 200 OK 22

Browser IdP Phantom URL Forward Proxy Web Server GET http://example.com/doc/ GET https://proxy.net/shibboleth.sso/proxy/ Proxy SP module module https://proxy.net http://example.com Phantom URL POST https://proxy.net/shibboleth.sso/saml2/ Redirect to phantom URL repe eat GET http://example.com/shibboleth.sso/proxy/ Set-Cookie: LH741Q GET http://example.com/doc/ Cookie: LH741Q Cookie for the Web Server GET http://example.com/doc/ 23

PROPOSAL OVERVIEW 24

icons Origin Server Browser DS Proxy IdP SP Cookei: LH741Q Origin Server Browser DS Proxy IdP 25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information