TEIN Shibboleth Training Course
Introduction to SAML/Shibboleth
at ComLabs USDI ITB, 2014-01-18
Identity Federation with SSO/Shibboleth technology
2
Separation of Authentication (authN) and Authorization (authZ) An IdP manages “Identity” information and authenticates users SPs refer result of authN (e.g. PW is matched) and Identity info (assertion) Federation provides “Trust” among IdPs and SPs by defining “policy”
SSO technology preserves privacy IdP sends least attributes (personal information) to SP SP should clarify list of required attributes (mandatory/optional) IdP admin can obtain agreement from users to send out attributes
IdPSP
SP
user
SP
SP
- ID- attr
- ID- attr
- ID- attr
Without separation (past) With separation
user
1st access
ID/PW (once)
assertion1st access, ID/PW
redirection
2nd access, ID/PW 2nd access
3
1. Login by Fed1. Login by Fed 4. Complete Login4. Complete Login3. Input ID & Pass3. Input ID & Pass2. Select Home Org2. Select Home Org1. Login by Fed 4. Complete Login3. Input ID & Pass2. Select Home Org
SPIdP
(Identity Provider)DS
(Discovery Service)SP
(Service Provider)SP
(Service Provider)
SAML(Attribute)
IdP
User
TARO SUZUKITARO SUZUKI 08/07
Want to DL PPV Paper In CiNii
He/She is a member of our University
Please DL
Want to DL from Science Direct as well
You have authned . Please
Want to update RefWorks record Once they’ve logged in then
Single Sign On
Personal Info DB
ID & Password
Redirect to IdP
University
44
You have authned . Please
Redirect to IdP, and back immediately(without entering password)
Facilitate Remote Access Improve Usability by SSO etc.
5
Search Paper Read Paper Mange Paper
SSO SSO
6
The Federation is Secure, scalable and easy login architecture by
using international standard protocol: SAML
IdP SP
Authentication Authorization
Organization Name Affiliation Opaque ID Mail Address etc.
7
Standard that allows secure web domains to exchange user authn and authz data Standardized by OASIS
Open Source project launched by EDUCAUSE/Internet2 in 2000 http://shibboleth.net/
De facto standard in academic access management federation Widely utilized by European federations in addition to US
simpleSAMLphp mainly utilized by Nordic countries, will be the other choice
User InfoLDAP
SAMLStandard
Something like a Filter which mediates SAML messageShibboleth IdP
Shibboleth SP
<saml2:AuthnStatement AuthnInstant="2012-06-24T17:12:05.463Z" SessionIndex="ZZZZ">
<saml2:SubjectLocality Address="150.100.253.2" /><saml2:AuthnContext>
<saml2:AuthnContextClassRef>PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement>
<saml2:Attribute FriendlyName="eduPersonAffiliation"><saml2:AttributeValue xsi:type="xs:string">faculty</saml2:AttributeValue>
</saml2:Attribute></saml2:AttributeStatement>
</saml2:Assertion>
(continue)
8
(continued)
<saml2:Assertion ID="XXXX" IssueInstant="2012-06-24T17:23:34.237Z" Version="2.0"><saml2:Issuer>https://idp.nii.ac.jp/idp/shibboleth</saml2:Issuer><saml2:Subject>
<saml2:EncryptedID>…</saml2:EncryptedID><saml2:SubjectConfirmation Method="bearer">
<saml2:SubjectConfirmationData Address="150.100.253.2" InResponseTo="YYYY" NotOnOrAfter="2012-06-24T17:28:34.237Z" Recipient="https://mcus.nii.ac.jp/Shibboleth.sso/SAML2/POST" />
</saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2012-06-24T17:23:34.237Z" NotOnOrAfter="2012-06-
24T17:28:34.237Z"><saml2:AudienceRestriction>
<saml2:Audience>https://mcus.nii.ac.jp/shibboleth-sp</saml2:Audience></saml2:AudienceRestriction>
</saml2:Conditions>
9
10
Redirection to collaborate among SP/DS/IdP HTTP redirect Javascript (automatic POST of assertion)
Cookie management Memorize session information on
Selected IdP on DS (Discovery Service) Status being authenticated on a IdP Status being authorized on an SP
Session encryption with SSL Server Certificate To protect Password and Cookies from wiretapping
11DS (Discovery Service) User
SP (Resource Provider)IdP (Home Org)
12
34
6 79
14
7
9
5
8
属性情報
Access ApprovedHTTPS
12
http://www.switch.ch/aai/demo/
13
IdP SP
User
(1)(2) (3)(4)
(5)
Assertion via Front-channel
(1): access to SP(2): redirect to IdP(3): request for authentication(4): ID and password(5): assertion with attributes
(requires Javascript)
IdP SP
User
(1)(2) (3)(4)
(5)
(6)
(7)
Assertion via Back-channel
(1): access to SP(2): redirect to IdP(3): request for authentication(4): ID and password(5): handle for attribute request(6): request for attributes with handle(7): assertion with attributes
SAML 2.0 SAML 1.3
(Sequences on DS access omitted)
14
IdP selection at DS A month or longer Will be cleared after browser closed
You can choose when IdP selection (check box)
IdP session (you have been authenticated) Will be cleared after browser close (logout by close) Even if browser is not closed
Session timeout is managed by IdP Re-authentication may be required by change of IP address
at client side
SP session Will be cleared after browser close (logout by close) Clicking logout button on SP
15DS (Discovery Service) User
SP (Resource Provider)IdP (Home Org)
MetadataRegister Register
Distribute(download)
Distribute(download)
Number of contract can be reduced from N×M to N+M by introducing a uniform policy
IdP
IdP
IdP
SP
SP
SP
SP
IdP
IdP
IdP
SP
SP
SP
SP
TFP
many ContractsTrust Framework
16
Trust Trust Framework
Provider
17
Federation Metadata
Signed Info
IdP Info
SP Info
・IdP-A Info・IdP-B Info
・・・・・・・・・・
・SP-A Info・SP-B Info
・・・・・・・・・・
・ID of IdP-A=entityID・Certificate・Protocol・Organization Info
・・・・・
・ID of SP-A=entityID・Certificate・Protocol・Organization Info
・・・・・
Entity Metadata (IdP)
Entity Metadata (SP)
18
Federation
DS (Discovery Service)
RepositoryFederationMetadata
IdP A
SP A
IdP BIdP C
SP B SP C
Entity Metadata
Reliability of the relying party is confirmed by the singed metadata.
19
Shibboleth Daemon(shibd)
SessionInitiator DS
Assertion ConsumerSAML POST
AttributeAuthority SSO
Profile
AuthNEngine Username
PasswordAuthN
Form
Tomcat
IdP SP
Apache/ IIS
AttributeDB
AuthNDB
LDAP/AD
WebResource
Shibboleth Module(mod_shib)
Browser
https
https # .htaccessAuthType shibbolethShibRequireSession
Onrequire valid-user
(port numbers: 443, 4443 or 8443. It depends on each SP)back channel
front channel
20
LDAPattribute-
resolver.xmlattribute-policy.xml
relying-party.xml
shibboleth2.xml
attribute-filter.xml
Shibboleth IdP Shibboleth SP
Trust
BackingFileBackingFile BackingFileBackingFile
repository
attribute-map.xml
httpd
SAMLWebApp
Env. Val.
http.conf.htaccess
AccessControl
handler.xmllogin.config
21
Name (abbreviation) Description
OrganizationName (o) English name of the organization
jaOrganizationName (jao) Japanese name of the organization
OrganizationalUnit (ou) English name of a unit in the organization
jaOrganizationalUnit (jaou) Japanese name of a unit in the organization
eduPersonPrincipalName (eppn) Uniquely identifies an entity in GakuNin
eduPersonTargetedID A pseudonym of an entity in GakuNin
eduPersonAffiliation Staff, Faculty, Student, Member
eduPersonScopedAffiliation Staff, Faculty, Student, Member with scope
eduPersonEntitlement Qualification to use a specific application
SurName (sn) Surname in English
jaSurName (jasn) Surname in Japanese
givenName Given name in English
jaGivenName Given name in Japanese
displayName Displayed name in English
jaDisplayName Displayed name in Japanese
mail E-mail address
gakuninScopedPersonalUniqueCode Student or faculty, staff number with scope
Attributes managed by an IdP Released attributes aredifferent among SPs
SP-A (2 attr.s required)eppn (mandatory)eduPersonAffiliation (optional)
SP-B (1 attr. required)eduPersonAffiliation (mandatory)
SP-C (2 attr.s required)eduPersonTargetedID (mandatory)
eduPersonEntitlementeduPersonScopedAffiliation(one of them is mandatory)
22
Anonymous Any identifier is not sent Fit for e-Journals (a member (of a department) of the
organization can access)
Autonymous eduPersonPrincipalName is sent
Unique identifier shared by all SPs (globally unique) Similar to e-mail address
Pseudonymous eduPersonTargetedID is sent [hash(ePPN, entityID of SP)]
Persistent unique identifier to each SP To avoid correlation of user activities among SPs
23
idp.examlpe.asia sp.example.asia
VirtualBox
VM - CentOS VM - CentOSHost OSWindows / Mac
browser“Host-only” network to communicate each other
“NAT” network to access the Internet
Internet
No DS (Discovery Service) provided Use /etc/hosts instead of DNS
LDAPsp2.example.asia
VM - CentOS
copy
24
1. Configure not to send out any attributes to all SPs.2. Configure to send out only “eduPersonTargetedID”
and “eduPersonPrincipalName” to all SP.3. Configure to send out only “eduPersonTargetedID”
for an SP.4. Configure to send out “admin” as a value of
“eduPersonEntitlement” for a user. Ref.: https://wiki.shibboleth.net/confluence/x/GoBC
5. Configure to filter values on “eduPersonEntitlement” to send out only a specific value for an SP.
Ref.: https://wiki.shibboleth.net/confluence/x/84BC
25
1. Configure to filter out all attributes received at an SP.
2. Configure on an IdP to send out multiple values on “eduPersonEntitlement”, then configure on an SP to filter them except one value
3. Configure on an IdP to send out a new attribute named “trainingTestAttribute”, then on an SP to receive it.
26
1. Confirm that password will not be required when you access to a second SP (SSO)
2. Authorize who are “staff” with “eduPersonAffiliation”
3. Authorize when “test” is included in “eduPersonEntitlement”
4. LazySession feature Ref.: https://wiki.shibboleth.net/confluence/x/bYFC
5. ForceAuthentication (forceAuthn) feature Ref.: https://wiki.shibboleth.net/confluence/x/SIBC
6. PassiveAuthentication (isPassive) feature Ref.: https://wiki.shibboleth.net/confluence/x/SIBC