Shibboleth authentication for Sync & Share - Lessons learned

Similar documents
Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

Add OKTA as an Identity Provider in EAA

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

SAML-Based SSO Solution

Morningstar ByAllAccounts SAML Connectivity Guide

Identity Provider for SAP Single Sign-On and SAP Identity Management

Advanced Configuration for SAML Authentication

SAML-Based SSO Solution

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

CAS, Shibboleth, And an evolving SSO approach

Canadian Access Federation: Trust Assertion Document (TAD)

All about SAML End-to-end Tableau and OKTA integration

Attribute Release Update

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

The EGI AAI CheckIn Service

Single Logout with the SWITCH edu-id IdP

CLI users are not listed on the Cisco Prime Collaboration User Management page.

One small step for the Shib admin, one giant leap for the SAML community?

Canadian Access Federation: Trust Assertion Document (TAD)

Slack Cloud App SSO. Configuration Guide. Product Release Document Revisions Published Date

SafeNet Authentication Manager

Setting Up the Server

IBM InfoSphere Information Server Single Sign-On (SSO) by using SAML 2.0 and Tivoli Federated Identity Manager (TFIM)

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Integrating YuJa Active Learning into Google Apps via SAML

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

U.S. E-Authentication Interoperability Lab Engineer

D9.2.2 AD FS via SAML2

SAML Authentication with Pulse Connect Secure and Pulse Secure Virtual Traffic Manager

Introducing Shibboleth. Sebastian Rieger

Canadian Access Federation: Trust Assertion Document (TAD)

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

AAI Account checking Or how to find and kill zombie users :-) Lukas Hämmerle

Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3.

How to Survive the Zombie Apocalypse

Introduction of Identity & Access Management Federation. Motonori Nakamura, NII Japan

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

CA SiteMinder Federation

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

ForgeRock Access Management Customization and APIs

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Configuring Single Sign-on from the VMware Identity Manager Service to Trumba

Géant-TrustBroker Dynamic inter-federation identity management

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Introduction to application management

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

Canadian Access Federation: Trust Assertion Document (TAD)

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

ComponentSpace SAML v2.0 Okta Integration Guide

Okta Integration Guide for Web Access Management with F5 BIG-IP

RSA SecurID Access SAML Configuration for Kanban Tool

Configuring Alfresco Cloud with ADFS 3.0

Embedded WAYF A slightly new approach to the discovery problem. Lukas Hämmerle

Shibboleth/Federation Operator Tutorial TIIME Workshop DAASI International. Date: 6 Feb 2018

Attribute Aggregation in Federated Identity Management. David Chadwick, George Inman, Stijn Lievens University of Kent

1. General requirements

Liberty Alliance Project

SINGLE SIGN ON SOLUTIONS FOR ICS PRODUCTS

Identity Harmonisation. Nicole Harris REFEDS Coordinator GÉANT.

Attribute Release. Contractual Matters

New trends in Identity Management

DARIAH-AAI. DASISH AAI Meeting. Nijmegen, March 9th,

Demystifying Identity Federation. Colleen Murphy ~ cmurphy

Configuring Single Sign-on from the VMware Identity Manager Service to Exterro E-Discovery

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Shibboleth Plumbing: Implementation and Architecture

This section includes troubleshooting topics about single sign-on (SSO) issues.

Implement SAML 2.0 SSO in WLS using IDM Federation Services

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Integration Guide. SafeNet Authentication Service. Protecting SugarCRM with SAS

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

RSA SecurID Access SAML Configuration for Samanage

TECHNICAL GUIDE SSO SAML Azure AD

Configuration Guide - Single-Sign On for OneDesk

Google SAML Integration

Oracle Access Manager Configuration Guide

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

Liferay Security Features Overview. How Liferay Approaches Security

SafeNet Authentication Manager

Canadian Access Federation: Trust Assertion Document (TAD)

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

Oracle Utilities Opower Solution Extension Partner SSO

BI Office. Web Authentication Model Guide Version 6

ArrayOS AG Release Note

maxecurity Product Suite

Setting up a Shibboleth SP

Unity Connection Version 10.5 SAML SSO Configuration Example

2 Oracle WebLogic Overview Prerequisites Baseline Architecture...6

Canadian Access Federation: Trust Assertion Document (TAD)

Transcription:

Shibboleth authentication for Sync & Share - Lessons learned Enno Gröper Abteilung 4 - Systemsoftware und Kommunikation Computer- und Medienservice Humboldt-Universität zu Berlin 30 Jan 2018

Overview Introduction to Shibboleth Integrating Shibboleth into Sync & Share service What about Logout?

Overview Introduction to Shibboleth Integrating Shibboleth into Sync & Share service What about Logout?

What is Shibboleth? Authentication architecture with focus on privacy Service provider gets only the necessary information (attributes) about the user No user credentials at the service provider Based on Security Assertion Markup Language (SAML) source: CC BY-SA 3.0 https://wiki.shibboleth.net/confluence/display/concept

Why (not) Shibboleth? Pro: Don t have to worry about the users credentials Possibility to reach many (university) users using federations (national like DFN-AAI and worldwide like EduGAIN) Single Sign On system Contra: Currently no way for SP to query user status Did the account get deleted? Did it get locked? Usually needs a webbrowser (no CLI or API)

Overview Introduction to Shibboleth Integrating Shibboleth into Sync & Share service What about Logout?

How to use Shibboleth in CSS service Use Shibboleth-capable Webserver (Apache preferred) Install and configure shibboleth-sp Configure shib-protection in Webserver Enable Shibboleth support in Webapp Register your SP with your IdP (send metadata to IdP admin)

Shibboleth login flow /Shibboleth.sso/ /shib-login/ / shibboleth-sp seafile

Shibboleth login flow Login Request /Shibboleth.sso/ /shib-login/ / shibboleth-sp seafile

Shibboleth login flow Intercepted if no valid shibboleth session in place /Shibboleth.sso/ /shib-login/ / shibboleth-sp seafile

Shibboleth login flow User gets redirected to IdP for login /Shibboleth.sso/ /shib-login/ / shibboleth-sp seafile

Shibboleth login flow IdP sends user info to SP endpoint /Shibboleth.sso/ /shib-login/ / shibboleth-sp seafile

Shibboleth login flow User is redirected to /shib-login/ /Shibboleth.sso/ /shib-login/ / shibboleth-sp seafile

Shibboleth login flow User is logged into Seafile webapp /Shibboleth.sso/ /shib-login/ / shibboleth-sp seafile

Shibboleth login flow User is redirected to target url /Shibboleth.sso/ /shib-login/ / shibboleth-sp seafile

Login summary Apache / webserver Manages / distributes requests Handles SSL Sync & Share webapp (i.e. Seafile) Transfers shibboleth login on specific endpoint into normal webapp session Shibboleth-sp Talks to IdP Provides endpoints for IdP Validates attributes

Metadata - Describing your service Description of service Api (SAML) endpoints SP certificate May be the same as https server certificate Need to care about this in case of rollover! SP acts as client and server, needs matching extensions! Needed user data (attributes), required or optional Required state of an attribute is only informational and may be ignored by IdP! No complex logic possible (each attribute is either required or not) relevant standard: eduperson Object Class Specification

Metadata - What attributes are needed? Service needs to uniquely identify the user Need to ensure noone else gets access to the (shared) data Need to ensure the user retains control of his data Other users need to uniquely identify the user Whom am I sharing data with / giving access to my files?

Metadata - attributes to identify a person format edupersontargetedid https://idp.home.edu/ shibboleth!http:// box.hu-berlin.de/<uuid> edupersonuniqueid <hash>@home.edu eduperson- PrincipalName <account>@ home.edu uniqueness per person per person and service per person humanfriendly yes no no persistence may be reassigned no required lifetime yes (may never be after locally defined ( should be longer than a reused) period of single user interaction ) dormancy, or even changed remarks some institutions don t like to share account names (privacy, attack vector) best for privacy, in practice usually longer lifetimes? relatively new, in eduperson specification since 10/2013, not widely adopted yet?

Metadata - which attributes used in Seafile? Checking attributes in SP using AttrChecker: https://github.com/cscfi/shibboleth-attrchecker <Handler type="attributechecker" Location="/AttrChecker" [...]> <AND> <OR> <Rule require="displayname"/> <AND> <Rule require="sn"/> <Rule require="givenname"/> </AND> </OR> <OR> <Rule require="eppn"/> <AND> <Rule require="edupersonuniqueid"/> <Rule require="mail"/> </AND> </OR> </AND> </Handler>

AttrChecker example

AttrChecker example

Integration into federations National federations (DFN-AAI) - contract between institution and federation operator edugain Least common denominator of all connected national federations (if you obey the rules of your national federation, you are fine) Data protection code of conduct Defines behavioral rules for SPs which want to receive user attributes from IdPs Standardized privacy statement in English Better chance to get user attributes, if conformance with CoC assured? Need to integrate federation metadata

Statistics Supporting DFN-AAI federation for nine month Around 70 external users (of 3200) Contact with 21 home institutions, four in the area of Berlin 25 tickets about needed attributes, that were not provided Two failed negotiations about attribute transfer One time we had to fill and sign a form Four institutions worked out-of-the-box min max # # 3 # > 3 10 # 14 0 51 16 8 1 7 Table: duration for successful attribute transfer in days

Overview Introduction to Shibboleth Integrating Shibboleth into Sync & Share service What about Logout?

What s the problem? Doing logout...

What s the problem? Back to login...

What s the problem? Starting relogin...

What s the problem? Back in without providing any credentials!

How to solve it? Close browser (and cross fingers!)? Not very convenient, some users use multiple tabs nowadays Some browsers don t honor the end of session setting of cookie (or never end their session) Delete session cookies by hand? Inconvenient Too complex for most users

Implementing Single Logout Sessions we need to care about Webapp session Shibboleth SP session Shibboleth IdP session Types of logout Front channel Like login using user session and redirects Easy to implement Back channel No user session, IdP contacts SP and requests logout Needed if logout is initiated by another service Needs mapping of shibboleth SP session to webapp session Webapp doesn t do logout, but requests logout from shibboleth-sp

Thank you for your attention!

Shibboleth login flow User gets redirected to IdP for login /Shibboleth.sso/ /shib-login/ / shibboleth-sp seafile Which?

Connecting to the home organization Central Discovery Service (formerly WAY-F) Service of federation operator Easy to use Can t be customized or controlled Multiple federations only possible, if supported by federation operator Embedded Discovery Service (EDS) Webapp running inside your server A little bit harder to deploy Customizable and configurable Example: https://wiki.shibboleth.net/confluence/ display/eds10/embedded+discovery+service

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback