CAS, OpenID, Shibboleth, SAML : concepts, différences et exemples
TEIN Shibboleth Training Course Introduction to SAML/Shibboleth at ComLabs USDI ITB, 2014-01-18...
-
Upload
barry-chambers -
Category
Documents
-
view
229 -
download
3
Transcript of TEIN Shibboleth Training Course Introduction to SAML/Shibboleth at ComLabs USDI ITB, 2014-01-18...
TEIN Shibboleth Training Course
Introduction to SAML/Shibboleth
at ComLabs USDI ITB, 2014-01-18
(updated version)
Identity Federation with SSO/Shibboleth technology
2
Separation of Authentication (authN) and Authorization (authZ) An IdP manages “Identity” information and authenticates users SPs refer result of authN (e.g. PW is matched) and Identity info (assertion) Federation provides “Trust” among IdPs and SPs by defining “policy”
SSO technology preserves privacy IdP sends least attributes (personal information) to SP SP should clarify list of required attributes (mandatory/optional) IdP admin can obtain agreement from users to send out attributes
IdPSP
SP
user
SP
SP
- ID- attr
- ID- attr
- ID- attr
Without separation (past) With separation
user
1st access
ID/PW (once)
assertion1st access, ID/PW
redirection
2nd access, ID/PW 2nd access
AuthN Flow by the Federation
3
Transition of Browser Screed
Success
1. Login by Fed 4. Complete Login
3. Input ID & Pass2. Select Home Org
SPIdP
(Identity Provider)
DS(Discovery Service)
SP(Service Provider)
SP(Service Provider)
SAML(Attribute)
IdP
User
TARO SUZUKITARO SUZUKI08/07
Want to DL PPV Paper In CiNii
He/She is a member of our University
Please DL
Want to DL from Science Direct as well
You have authned . PleaseWant to update RefWorks record Once they’ve logged
in then Single Sign On
Personal Info DB
ID & Password
Redirect to IdP
University
4
Example of Utility by EJ related SPs
4
You have authned . Please
Redirect to IdP, and back immediately(without entering password)
Facilitate Remote Access Improve Usability by SSO etc.
5
Search Paper Read Paper Mange Paper
SSO SSO
Example of Utility by EJ related SPs
Simply Saying
6
The Federation is Secure, scalable and easy login architecture by
using international standard protocol: SAML
IdP SP
Authentication
Attributes
Authorization
Organization Name Affiliation Opaque ID Mail Address etc.
SAML and Shibboleth
7
SAML(Security Assertion Markup Language) Standard that allows secure web domains to exchange user authn and authz data Standardized by OASIS
Shibboleth Open Source project launched by EDUCAUSE/Internet2 in 2000
http://shibboleth.net/
De facto standard in academic access management federation Widely utilized by European federations in addition to US
simpleSAMLphp mainly utilized by Nordic countries, will be the other choice
University Resource Provider
User InfoLDAP
SAMLStandard
Something like a Filter which mediates SAML message
Shibboleth is a Middleware based on SAML
Shib
bole
th Id
P
Shib
bole
th
SP
Example of SAML Assertion (1/2)
<saml2:AuthnStatement AuthnInstant="2012-06-24T17:12:05.463Z" SessionIndex="ZZZZ"> <saml2:SubjectLocality Address="150.100.253.2" /> <saml2:AuthnContext> <saml2:AuthnContextClassRef>PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute FriendlyName="eduPersonAffiliation"> <saml2:AttributeValue xsi:type="xs:string">faculty</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement></saml2:Assertion>
(continue)
8
Example of SAML Assertion (2/2)
(continued)
<saml2:Assertion ID="XXXX" IssueInstant="2012-06-24T17:23:34.237Z" Version="2.0"> <saml2:Issuer>https://idp.nii.ac.jp/idp/shibboleth</saml2:Issuer> <saml2:Subject> <saml2:EncryptedID> … </saml2:EncryptedID> <saml2:SubjectConfirmation Method="bearer"> <saml2:SubjectConfirmationData Address="150.100.253.2" InResponseTo="YYYY" NotOnOrAfter="2012-06-24T17:28:34.237Z" Recipient="https://mcus.nii.ac.jp/Shibboleth.sso/SAML2/POST" /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2012-06-24T17:23:34.237Z" NotOnOrAfter="2012-06-24T17:28:34.237Z"> <saml2:AudienceRestriction> <saml2:Audience>https://mcus.nii.ac.jp/shibboleth-sp</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions>
9
Required key feature for browsers
10
Redirection to collaborate among SP/DS/IdP HTTP redirect Javascript (automatic POST of assertion)
Cookie management Memorize session information on
Selected IdP on DS (Discovery Service) Status being authenticated on a IdP Status being authorized on an SP
Session encryption with SSL Server Certificate To protect Password and Cookies from wiretapping
Shibboleth Flow Diagram
11DS (Discovery Service) User
SP (Resource Provider)IdP (Home Org)
12
34
6 79
14
7
9
5
8
Attributes
Access ApprovedHTTPSHTTPS
You can also learn in detail at SWITCH’s web site
12
http://www.switch.ch/aai/demo/
2 types of assertion handling
13
IdP SP
User
(1)(2) (3)(4)
(5)
Assertion via Front-
channel
(1): access to SP(2): redirect to IdP(3): request for authentication(4): ID and password(5): assertion with attributes (requires Javascript)
IdP SP
User
(1)(2) (3)(4)
(5)
(6)
(7)
Assertion via Back-
channel
(1): access to SP(2): redirect to IdP(3): request for authentication(4): ID and password(5): handle for attribute request(6): request for attributes with handle(7): assertion with attributes
SAML 2.0 SAML 1.3
(Sequences on DS access omitted)
User Interactions will be eliminated by “Cookies”
14
DS (Discovery Service) User
SP (Resource Provider)IdP (Home Org)
12
34
6 79
14
7
9
5Set Cookie
Set
Cooki
e
8
Set Cookie Attributes
Access Approved
Life time of a Cookie
15
IdP selection at DS A month or longer Will be cleared after browser closed
You can choose when IdP selection (check box)
IdP session (you have been authenticated) Will be cleared after browser close (logout by close) Even if browser is not closed
Session timeout is managed by IdP Re-authentication may be required by change of IP address at client
side
SP session Will be cleared after browser close (logout by close) Clicking logout button on SP
Building Relying Party by Metadata
16
DS (Discovery Service) User
SP (Resource Provider)IdP (Home Org)
Metadata
Register Register
Distribute(download)
Distribute(download)
Effectiveness of trust framework
Number of contract can be reduced from N×M to N+M by introducing a uniform policy
IdP
IdP
IdP
SP
SP
SP
SP
IdP
IdP
IdP
SP
SP
SP
SP
TFP
many Contracts
a Contract
Trust Framework
17
Trust Framework
Provider
Contents of Metadata (XML)
18
Federation Metadata
Signed Info
IdP Info
SP Info
・ IdP-A Info・ IdP-B Info ・・・・・ ・・・・・
・ SP-A Info・ SP-B Info ・・・・・ ・・・・・
・ ID of IdP-A= entityID・ Certificate・ Protocol・ Organization Info ・・・・・
・ ID of SP-A= entityID・ Certificate・ Protocol・ Organization Info ・・・・・
Entity Metadata (IdP)
Entity Metadata (SP)
≒ relying party
Building Relying Party by Metadata
19
Federation
DS (Discovery Service)
Repository
FederationMetadata
IdP A
SP A
IdP BIdP C
SP B SP C
Entity Metadata
Reliability of the relying party is confirmed by the singed metadata.
Relationship among modules
20
Shibboleth Daemon(shibd)
Session Initiator DS
Assertion ConsumerSAML POST
AttributeAuthorit
ySSO
Profile
AuthNEngin
eUsernamePassword
AuthN
Form
Tomcat
IdP SP
Apache/ IIS
AttributeDB
AuthNDB
LDAP/AD
WebResource
Shibboleth Module(mod_shib)
Browser
https
https # .htaccessAuthType shibbolethShibRequireSession
Onrequire valid-user
(Shib 1.3)
(port numbers: 443, 4443 or 8443. It depends on each SP)
back channel
front channel
Filtering of attributes and control of authorization
21
LDAPattribute-
resolver.xmlattribute-policy.xml
relying-party.xml
shibboleth2.xml
attribute-filter.xml
Shibboleth IdP Shibboleth SP
Trust
BackingFile BackingFile
repository
attribute-map.xml
httpd
SAML
WebApp
Env. Val.
http.conf.htaccess
AccessControl
handler.xml
login.config
Control of attribute release
22
Name (abbreviation) Description
OrganizationName (o) English name of the organization
jaOrganizationName (jao) Japanese name of the organization
OrganizationalUnit (ou) English name of a unit in the organization
jaOrganizationalUnit (jaou) Japanese name of a unit in the organization
eduPersonPrincipalName (eppn) Uniquely identifies an entity in GakuNin
eduPersonTargetedID A pseudonym of an entity in GakuNin
eduPersonAffiliation Staff, Faculty, Student, Member
eduPersonScopedAffiliation Staff, Faculty, Student, Member with scope
eduPersonEntitlement Qualification to use a specific application
SurName (sn) Surname in English
jaSurName (jasn) Surname in Japanese
givenName Given name in English
jaGivenName Given name in Japanese
displayName Displayed name in English
jaDisplayName Displayed name in Japanese
mail E-mail address
gakuninScopedPersonalUniqueCode Student or faculty, staff number with scope
Attributes managed by an IdP Released attributes are different among SPs
SP-A (2 attr.s required)eppn (mandatory)eduPersonAffiliation (optional)
SP-B (1 attr. required)eduPersonAffiliation (mandatory)
SP-C (2 attr.s required)
eduPersonTargetedID (mandatory)
eduPersonEntitlementeduPersonScopedAffiliation(one of them is mandatory)
3 types of access on privacy
23
Anonymous Any identifier is not sent Fit for e-Journals (a member (of a department) of the
organization can access)
Autonymous eduPersonPrincipalName is sent
Unique identifier shared by all SPs (globally unique) Similar to e-mail address
Pseudonymous eduPersonTargetedID is sent [hash(ePPN, entityID of SP)]
Persistent unique identifier to each SP To avoid correlation of user activities among SPs
Environment of this training course
24
idp.examlpe.asia sp.example.asia
VirtualBox
VM - CentOS VM - CentOSHost OSWindows / Mac
browser“Host-only” network to communicate each other
“NAT” network to access the Internet
Internet
No DS (Discovery Service) provided Use /etc/hosts instead of DNS
LDAPsp2.example.asiaVM - CentOS
copy
Exercises after installation (1)(Control of Attribute release on IdP)
25
1. Configure not to send out any attributes to all SPs. 2. Configure to send out only “eduPersonTargetedID”
and “eduPersonPrincipalName” to all SP.3. Configure to send out only “eduPersonTargetedID”
for an SP.4. Configure to send out “admin” as a value of
“eduPersonEntitlement” for a user. Ref.: https://wiki.shibboleth.net/confluence/x/GoBC
5. Configure to filter values on “eduPersonEntitlement” to send out only a specific value for an SP.
Ref.: https://wiki.shibboleth.net/confluence/x/84BC
Exercises after installation (2)(Control of Attributes received by SP)
26
1. Configure to filter out all attributes received at an SP.
2. Configure on an IdP to send out multiple values on “eduPersonEntitlement”, then configure on an SP to filter them except one value
3. Configure on an IdP to send out a new attribute named “trainingTestAttribute”, then on an SP to receive it.
Exercises after installation (3)(Access Management on SP)
27
1. Confirm that password will not be required when you access to a second SP (SSO)
2. Authorize who are “staff” with “eduPersonAffiliation”
3. Authorize when “test” is included in “eduPersonEntitlement”
4. LazySession feature Ref.: https://wiki.shibboleth.net/confluence/x/bYFC
5. ForceAuthentication (forceAuthn) feature Ref.: https://wiki.shibboleth.net/confluence/x/SIBC
6. PassiveAuthentication (isPassive) feature Ref.: https://wiki.shibboleth.net/confluence/x/SIBC