Shibboleth Plumbing: Implementation and Architecture

Transcription

1 Shibboleth Plumbing: Implementation and Architecture Nate Klingenstein Internet2

2 Overview Advanced Flows The IdP The SP The WAYF Thomas Lenggenhager Deployment Considerations Example Applications Handing off to deployment John Paschoud Questions & Answers 11/08/05 2

3 Shibboleth 1.2 & Earlier Identity Provider 5 6 WAYF Service Provider Web Site 7 1 HS Credentials Handle 8 ACS User DB AA 9 Handle Attributes 10 Handle AR Resource Manager Resource Attributes SWITCH 11/08/05 3

4 11/08/05 4 Shibboleth 1.3 Classical

5 Shibboleth 1.3 Attribute Push 11/08/05 5

6 Shibboleth 1.3 Artifact 11/08/05 6

7 Installation Ant Binaries Eclipse Build from source Installation of other packages (mod_jk) the hardest part Easy No, really, it is! Still too much vi; we're working on it 11/08/05 7

8 Shibboleth 1.3 Assertions & Bindings SAML 1.0/1.1 Authentication Assertion SAML 1.0/1.1 Attribute Assertion SAML 2.0 Metadata SAML 1.1 HTTP/POST & Artifact SOAP over HTTP over SSL/TLS Interoperability Burton Group eauthentication 11/08/05 8

9 1.3 Extended Profiles Lionshare GridShib ADFS Much simpler in /08/05 9

10 SAML & Shibboleth 2.0 Single Logout Authentication Request Decoupled from the web? Enhanced Client Profile (ECP) Interoperability 11/08/05 10

11 Delegation Allowing a third party to act on the behalf of a principal... With limitations Duration Permissions Used by portals, agents, etc. 11/08/05 11

12 Delegation Techniques Liberty Alliance WS-Trust draft-cantor-saml-sso-delegation Recursive Delegation 11/08/05 12

13 Steven Carmody of IEEE and Brown Identity Federation vs. Federated Identity Bi-directional Persistent Pseudonyms Expression of these pointers to third parties Handling requests based on these pointers What makes an IdP an IdP? Strong homology to delegation 11/08/05 13

14 Single Logout Many different kinds of session Inter-realm functionality exponentially compounds the problem Negative permissions are always hard 1.3: Cookies & homeurl SAML 2.0 Profile Implementation and application support will be critical The ultimate: close the browser 11/08/05 14

15 Naming Attributes urn:mace:dir:attribute-def urn:oid: Providers (providerid) Same for SP's and IdP's URI's (URL's or URN's) Unique string names; NOT resource locations... yet? 11/08/05 15

16 Federations One of many trust structures Do Not Exist in the code Facilitate trust and simplify transfer between IdP's and SP's... but it's all bilateral in the end How many federations will the world have? Peering? Metadata, attribute, and certificate translation? Dynamic trust? 11/08/05 16

17 Advanced Flows: More Boxes User Authentication Applications SSO Service Attribute Authority mod_shib, isapi_shib, etc. Protocol Engine Protocol Engine IdP Core NameID Resolver Attribute Resolver ARP Engine SP Core Session Cache Attribute Filtering Access Control Shibboleth Core Metadata Trust Credentials OpenSAML 11/08/05 17

18 Configuration Files Grand tour idp.xml httpd.conf server.xml jk.properties resolver.xml arp.site.xml Later, view them configured for applications 11/08/05 18

19 Attribute Resolver resolver.xml Java Generation JNDI JDBC Simple/Scoped 11/08/05 19

20 ARP's arp.site.xml Processing SHARPE 11/08/05 20

21 Authentication Apache/WebISO Tomcat/Java Multiple mechanism & LoA support Shibboleth authentication 2.0? 11/08/05 21

22 Logging & Auditing Logging Mechanisms Built-In Container logging JULI Log4J Errors Interrealm error considerations Debugging & production configuration Demonstrations 11/08/05 22

23 Production Deployment Efficiency Load Testing Statistics High Availability Failover Load Balancing Security 11/08/05 23

24 Recycled Boxes User Authentication Applications SSO Service Attribute Authority mod_shib, isapi_shib, etc. Protocol Engine Protocol Engine IdP Core NameID Resolver Attribute Resolver ARP Engine SP Core Session Cache Attribute Filtering Access Control Shibboleth Core Metadata Trust Credentials OpenSAML 11/08/05 24

25 Service Provider Request Mapping Web Server Webapps, pages, files, etc. AAP s and access decisions Lazy Session Initiation ProviderID Bob pid Scott App Alpha App Beta App Theta URL 1 URL 2 URL 3 URL 4 Attribute Release, Policy Atom Sessions, Most Settings Externally Visible Resources Resource Requests 11/08/05 25

26 Configuration Files shibboleth.xml / sp.xml server.xml web.xml httpd.conf AAP.xml 11/08/05 26

27 The Many Flavors of State Authentication Assertion SSO Login WAYF Choice Attributes Shibboleth Session Application Session 11/08/05 27

28 Lazy Session Initiation Allows access of URL's before Shibboleth intervenes Construct special URL's to trigger attribute release & authn/z URL to return URL of the request handler target=https%3a%2f%2ffoo.com%2fportal 11/08/05 28

29 AAP's Map SAML attributes to usable values Header variables Vary by web server Utterly extensible aap.xml 11/08/05 29

30 Constructing SP Policy Restraining attribute acceptance & scope Apache directives / web.xml shibboleth.xml Export assertions/attributes for applicationlayer decision metadata.xml 11/08/05 30

31 Application Integration Handoffs & expirations Some applications will need to be modified Storing preferences Mind (apologies to London) Examples: TWiki, Simple Portal Many others in production 11/08/05 31

32 The WAYF and the Resource Registry Thomas Lenggenhager -- SWITCH 11/08/05 32

33 Examples! 11/08/05 33

34 Protocol Security Load balancing at SP is straightforward ShibURLScheme checkaddress Assertion Confirmation Bearer assertion Holder of key SSL/TLS SAML = COOKIE 11/08/05 34

35 *Person persistentid Attribute Use Generated vs. database Auditing considerations edupersonentitlement Is it a privilege? Policy logic visibility Is it a dynamic group? Identity Defining new attributes Federation issue, or larger than that? 11/08/05 35

36 Scope Who can talk for whom? Who decides? What are they allowed to say? Metadata & SP Policy 11/08/05 36

37 Federation Operation Technical Needs Hosted metadata.xml Defined attributes? WAYF? Policy Needs Granularity Federation Peering? 11/08/05 37

38 John Paschoud Moving from development to production support 11/08/05 38

39 What do you want to do? Q and hopefully A shibboleth-users@internet2.edu ndk@internet2.edu 11/08/05 39