shibboleth service provider workshop
DESCRIPTION
Shibboleth Service Provider Workshop. Bart Ophelders - Philip Brusten [email protected]. June 2010. Shibboleth Service provider workshop. This work is licensed under a Creative Commons Attribution- ShareAlike 3.0 Unported License. Acknowledgements. - PowerPoint PPT PresentationTRANSCRIPT
2
Shibboleth Service provider workshop
• This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
3
Acknowledgements
• What's new in Shibboleth 2 – Chad La Joie• [SAMLConf]
http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf
• Liberty interoperability testing: http://projectliberty.org/liberty/liberty_interoperable/implementations
• Shibboleth 2.0 InstallFest Service Provider Material – Ann Arbor, MI
• SP Hands-on Session – SWITCH• https://spaces.internet2.edu/display/SHIB2
4
Program
• Introduction: “What is Shibboleth?”• Shibboleth 2.x: “What has changed?”• Concept of Federation• Resource Registry• A word on ADFS• Installation• Bootstrapping SP• Configuration
5
Introduction: “What is Shibboleth?”
• Quote from http://shibboleth.internet2.edu:
The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.
6
Introduction: “What is Shibboleth?”
• Terminology
– Authentication: says who we are
– Authorization: says which resource we can access
– SP: Service Provider (Resource)
– IdP: Identity Provider (Home organisation)
– WAYF: Where Are You From
– DS: Discovery Service
7
Architecture Shibboleth v1.3
WAYF
User Agent/Browser
Identity Provider Webserver
Ide
ntit
y P
rovi
de
r
Service Provider
Webserver
Sh
ibb
oleth
m
od
ule
x
Shibboleth service
Components:
Identity Provider (IdP) – Service Provider (SP) – Where Are You From (WAYF) – User Agent (UA)
HTTP redirectHTTP interaction
8
Service Provider
Webserver
Sh
ibb
oleth
m
od
ule
x
Shibboleth service
Architecture Shibboleth v1.3
Identity Provider
WAYF
User Agent/Browser
Webserver
Ide
ntit
y P
rovi
de
r
SAML1.1 profile: Browser/Artifact
Initial request from UA to document X
No active Shibboleth session, UA redirected to WAYF
HTTP redirectHTTP interaction
9
Service Provider
Webserver
Sh
ibb
oleth
m
od
ule
x
Shibboleth service
Architecture Shibboleth v1.3
Identity Provider
WAYF
User Agent/Browser
Webserver
Ide
ntit
y P
rovi
de
r
WAYF asks UA to choose an IdP (if not already set in cookie)
Redirect UA to selected IdP
HTTP redirectHTTP interaction
10
Service Provider
Webserver
Sh
ibb
oleth
m
od
ule
x
Shibboleth service
Architecture Shibboleth v1.3
Identity Provider
WAYF
User Agent/Browser
Webserver
Ide
ntit
y P
rovi
de
r
IdP prompts the UA for credentials (Username/Password, x509, digipass, etc).
IdP uses backend to verify credentials (LDAP, ADDS, SQL, etc)
HTTP redirectHTTP interaction
11
Service Provider
Webserver
Sh
ibb
oleth
m
od
ule
x
Shibboleth service
Architecture Shibboleth v1.3
Identity Provider
WAYF
User Agent/Browser
Webserver
Ide
ntit
y P
rovi
de
r
IdP resolves attributes for the authenticated principal and creates SAML assertion (authentication & attribute statement)
Redirects UA with references to these assertions (Artifacts).
HTTP redirectHTTP interaction
12
Service Provider
Webserver
Sh
ibb
oleth
m
od
ule
x
Shibboleth service
Architecture Shibboleth v1.3
Identity Provider
WAYF
User Agent/Browser
Webserver
Ide
ntit
y P
rovi
de
r
Shibboleth service or daemon dereferences the Artifacts on a secure backchannel with SSL mutual authentication.Invisible for the UA.
HTTP redirectHTTP interaction
13
Service Provider
Webserver
Sh
ibb
oleth
m
od
ule
x
Shibboleth service
Architecture Shibboleth v1.3
Identity Provider
WAYF
User Agent/Browser
Webserver
Ide
ntit
y P
rovi
de
r
The Shibboleth service verifies and filters the information and gives it to the Shibboleth module (via RPC or TCP).The Shibboleth module or Webserver will authorise the principal.
HTTP redirectHTTP interaction
14
Service Provider 2
Webserver
Sh
ibb
oleth
m
od
ule
x
Shibboleth service
Architecture Shibboleth v1.3
Identity Provider
WAYF
User Agent/Browser
Webserver
Ide
ntit
y P
rovi
de
r
The active sessions with every component will provide the single sign-on experience.
HTTP redirectHTTP interaction
15
Program
• Introduction: “What is Shibboleth?”• Shibboleth 2.x: “What has changed?”• Concept of Federation• Resource Registry• A word on ADFS• Installation• Bootstrapping SP• Configuration
16
Shibboleth 2.x: “What has changed?”
• General– SAML2 protocols
• Authentication Request Protocol (SP initiated)– Force re-authentication– Passive authentication
• Assertion Query and Request Protocol• Artifact Resolution Protocol• Single Logout Protocol (Not supported by the IdP yet)• NameID Management Protocol• NameID Mapping Protocol
– Encryption and signing of sensitive information– Distributed configuration (pull)
• Federation Metadata• Attribute-map• Attribute-filter
17
Shibboleth 2.x: “What has changed?”
• Identity Provider– Own authentication modules
• LDAP• Kerberos• IP-based• PreviousSession (SSO)• REMOTE_USER (cfr. CAS)
– No SAML2 force authentication
• Very flexible attribute resolving• Very flexible attribute filtering (with constraints)• Clean audit logs• etc
18
Shibboleth 2.x: “What has changed?”
• Discovery Service– Successor of WAYF– SAML2 Identity Provider Discovery Profile– Multi-federation support
19
Shibboleth 2.x: “What has changed?”
• Service Provider– Multi-protocol support– New attribute filtering policy language– Support for ODBC based storage of state– Significant performance improvements
20
Service Provider
Webserver
Sh
ibb
oleth
m
od
ule
x
Shibboleth service
Architecture Shibboleth v2.x
Identity Provider
DS
User Agent/Browser
Webserver
Ide
ntit
y P
rovi
de
r
SAML2.0 profile: Web browser SSO + HTTP POST binding
Initial request from UA to document X
No active Shibboleth session, UA redirected to DS
HTTP redirectHTTP interaction
21
Service Provider
Webserver
Sh
ibb
oleth
m
od
ule
x
Shibboleth service
Architecture Shibboleth v2.x
Identity Provider
DS
User Agent/Browser
Webserver
Ide
ntit
y P
rovi
de
r
DS asks UA to choose an IdP (if not already set in cookie)
Redirect UA back to SP with selected IdP as parameter.
HTTP redirectHTTP interaction
SP takes back control
22
Service Provider
Webserver
Sh
ibb
oleth
m
od
ule
x
Shibboleth service
Architecture Shibboleth v2.x
Identity Provider
DS
User Agent/Browser
Webserver
Ide
ntit
y P
rovi
de
r
SP sends SAML Authentication request to the IdP. IdP prompts the UA for credentials, if necessary.
IdP uses backend to verify credentials (LDAP, ADDS, SQL, etc)
HTTP redirectHTTP interaction
23
Service Provider
Webserver
Sh
ibb
oleth
m
od
ule
x
Shibboleth service
Architecture Shibboleth v2.x
Identity Provider
DS
User Agent/Browser
Webserver
Ide
ntit
y P
rovi
de
r
The IdP resolves and filters the principal’s attribute information and constructs a SAML assertion. This assertion can optionally be signed and/or encrypted. Next, the IdP POSTs a response to the SP.
HTTP redirectHTTP interaction
SAML response• Authentication statement• Attribute statement
24
Service Provider
Webserver
Sh
ibb
oleth
m
od
ule
x
Shibboleth service
Architecture Shibboleth v2.x
Identity Provider
DS
User Agent/Browser
Webserver
Ide
ntit
y P
rovi
de
r
The Shibboleth service decrypts, verifies and filters the response and gives it to the Shibboleth module (via RPC or TCP).The Shibboleth module or Webserver will authorise the principal.
HTTP redirectHTTP interaction
No callback!
25
Service Provider 2
Webserver
Sh
ibb
oleth
m
od
ule
x
Shibboleth service
Architecture Shibboleth v2.x
Identity Provider
DS
User Agent/Browser
Webserver
Ide
ntit
y P
rovi
de
r
Again, the active sessions with every component will provide the single sign-on experience.
HTTP redirectHTTP interaction
26
Program
• Introduction: “What is Shibboleth?”• Shibboleth 2.x: “What has changed?”• Concept of Federation• Resource Registry• A word on ADFS• Installation• Bootstrapping SP• Configuration
27
Concept of Federation
• Group of entities, both IdPs and SPs.• Can map on existing Associations (e.g.: BELNET,
Associatie K.U.Leuven, K.U.Leuven, etc)
K.U.Leuven
App X
App Y
App Z
K.U.Leuven
Toledo
…
App Z
…
W&K
Federation K.U.Leuven Federation Associatie K.U.Leuven
28
Concept of Federation
• Benefits– Scalable– Simplifies things– WAYF service (IdP discovery)
• Metadata– Describes entities (protocol support, contact information, etc)– PKI management– Trust
• Since Shibboleth v2.x = single point of trust
– Digitally signed– http://shib.kuleuven.be/download/metadata
29
Program
• Introduction: “What is Shibboleth?”• Shibboleth 2.x: “What has changed?”• Concept of Federation• Resource Registry• A word on ADFS• Installation• Bootstrapping SP• Configuration
30
Resource Registry
• Metadata management tool– Based on open source from SWITCH and modified by INTIENT
and K.U.Leuven
• Adapted for K.U.Leuven• Multi-federation support• Identity Provider 1-many link• Service Provider 1-many link
31
Resource Registry
32
Resource Registry
• For now only internal use• In a later stage available for:
– Resource Registry Administrators• To approve resources from a certain IdP
– Resource Administrators• For administering SP information (self-service)
– Home Organisation Administrators• For administering IdP information (self-service)
– Federation Administrators• Signing metadata file
• Roles can be assigned independently
33
Resource Registry
• Currently hosting:– Federation K.U.Leuven– Federation Associatie K.U.Leuven– Federation K.U.Leuven – UZLeuven– Test federation K.U.Leuven
34
Program
• Introduction: “What is Shibboleth?”• Shibboleth 2.x: “What has changed?”• Concept of Federation• Resource Registry• A word on ADFS• Installation• Bootstrapping SP• Configuration
35
A word on ADFS
• Active Directory Federation Services v1– Part of Microsoft Windows Server 2003 R2– WS-Federation Passive Requester Profile (WS-F PRP)– Shibboleth v1.3 has implemented
“WS-Federation: Passive Requestor Interoperability Profile” specification for both IdP & SP
– Two ways of working• NT-Token based• Claim based
36
A word on ADFS
• E.g. Implementation at K.U.Leuven
IdP K.U.Leuven Webserver
Ide
ntit
y P
rovi
de
r
FS
Account partners
K.U.Leuven
Resources
- OWA
- EVault
- Sharepoint
- etc
TRUST OWA
EVault
Sharepoint
TRUST
TRUST
TRUST
ADFS Web Agents
37
A word on ADFS
38
A word on AD FS 2.0
• Version 2.0• Officially released on 5 May 2010• Windows Server 2008 and Windows Server 2008 R2• Only claims based• Compatible with ADFS v1.0• Liberty Interoperable Implementation Tables• SAML2.0 operational modes:
– IdP lite– SP lite
39
A word on AD FS 2.0
40
A word on AD FS 2.0
41
A word on AD FS 2.0
5) Use claims in token
Identity Providers
STS
Internet
Windows Live ID
Other
User
2) Select an identity that matches those
requirements
1) Access application and
learn token requirements
CardSpace 2.0
Application
WIF4) Submit
token
Token
3) Authenticate user and get token for selected identity
Token
STS
Browser or Client
Shamelessly copied from David Chappell’s presentation at TechEd 2009
42
Program
• Introduction: “What is Shibboleth?”• Shibboleth 2.x: “What has changed?”• Concept of Federation• Resource Registry• A word on ADFS• Installation• Bootstrapping SP• Configuration
43
Environment
• RedHat Enterprise Linux 5.5 (Tikanga)
• Debian 5.0 (Lenny)
• Windows Server 2008 R2
• Username: “shib” / “root”• Passwords: “P@ssw0rd”• Remote Access
– Linux: ssh– Windows: Remote desktop
44
Environment
• RedHat Enterprise Linux 5.5 (Tikanga)– 8 virtual machines– DNS: worksh-rh-N.cc.kuleuven.be– IP: 10.2.4.N
• Debian 5.0 (Lenny)– 4 virtual machines– DNS: worksh-db-N.cc.kuleuven.be– IP: 10.2.4.2N
• Windows Server 2008 R2– 10 virtual machines– DNS: worksh-w8-N.cc.kuleuven.be– IP: 10.2.4.4N + 10.2.4.50
45
Environment
• Shibboleth IdP– DNS: worksh-idp.cc.kuleuven.be– IP: 10.2.4.9– https://worksh-idp.cc.kuleuven.be/idp/status
(only accessible through VMs: 10.2.4.0/24)
46
Environment
• Shibboleth standard basehttp://shib.kuleuven.be/ssb_sp.shtml
• $WORKSH_HOST = worksh-[rh|db|w8]-N.cc.kuleuven.be
47
Environment
• Key/Certificate generation - We’ve done it for you – Webserver
• Located at $PKI• Signed by TerenaSSL CA
– Shibboleth SP• Self-signed• worksh-idp.cc.kuleuven.be:
/home/shib/ShibbolethSPWorkshop/certificates/shibboleth-sp• Certificate: sp-[rh|db|w8]-N-cert.pem• Key: sp-[rh|db|w8]-N-key.pem• Save at $PKI
• Test certificates
openssl x509 –in $cert –issuer –noout
48
SSL certificates
• Use of self-signed certificates in backend– No need for commercial certificates– Longer lifetime– No truststore to maintain for commercial CAs– Revocation (just remove certificate)– Trustbase of commercial signed certificates can become quite
large– Separate certificate for front- and backend
49
Environment
• Tools– An absolute must: Syntax friendly editor
• RHEL: vim• Debian: vim
• Windows: notepad++ or SciTE
– HTTP client• RHEL: links• Debian: links• Windows: local browser
– SCP or WinSCP
• Check your time now!• Always work case sensitive!
$ apt-get install vim
50
Installation - Overview
IIS ApacheShibbolethservice
mo
d_
auth
mo
d_
shib
mo
d_
ssl
...
Shibboleth handler/Shibboleth.sso
ISAPI filter Shibboleth
RPC port 1600 Unix socket
Shibboleth handler/Shibboleth.sso
51
RHEL webserver
– DocumentRoot: /var/www/html ($DOCROOT)– Configuration: /etc/httpd– Logs: /var/log/httpd ($WEB_LOG)– ServerName
– Start/Stop service
$ yum install httpd mod_ssl php
$ service httpd start$ service httpd statushttpd (pid ####) is running…
$ vim /etc/httpd/conf/httpd.confLine 265:
ServerName $WORKSH_HOST
52
RHEL webserver
• Prepare test application$ mkdir /var/www/html/secure$ vim /var/www/html/secure/index.php
<?phpheader('Location: https://'.$_SERVER['SERVER_NAME'].'/Shibboleth.sso/Session');
?>
53
RHEL webserver - SSL
$ vim /etc/httpd/conf.d/ssl.conf
$ service httpd configtest$ service httpd restart$ openssl s_client –connect localhost:443
SSLCertificateFile /etc/pki/$WORKSH_HOST.pemSSLCertificateKeyFile /etc/pki/$WORKSH_HOST.keySSLCertificateChainFile /etc/pki/terenasslchain.crt
54
Debian webserver
– DocumentRoot: /var/www ($DOCROOT)– Configuration: /etc/apache2– Logs: /var/log/apache2 ($WEB_LOG)– ServerName
– Start/Stop service
$ apt-get install libapache2-mod-php5
$ apache2ctl start$ apache2ctl status
$ vim /etc/apache2/sites-available/default$ vim /etc/apache2/sites-available/default-sslLine 2, add:
ServerName $WORKSH_HOST
55
Debian webserver
• Prepare test application$ mkdir /var/www/secure$ vim /var/www/secure/index.php
<?phpheader('Location: https://'.$_SERVER['SERVER_NAME'].'/Shibboleth.sso/Session');
?>
56
Debian webserver - SSL
$ a2enmod ssl$ vim /etc/apache2/sites-available/default-ssl
$ a2ensite default-ssl$ apache2ctl configtest $ /etc/init.d/apache2 restart$ openssl s_client –connect localhost:443
SSLCertificateFile /etc/pki/$WORKSH_HOST.pemSSLCertificateKeyFile /etc/pki/$WORKSH_HOST.keySSLCertificateChainFile /etc/pki/terenasslchain.crt
57
Windows Server 2008 - Apache
– Download: http://httpd.apache.org :Win32 Binary including OpenSSL 0.9.8m (MSI Installer)
– DocumentRoot: c:\htdocs ($DOCROOT)– Configuration: c:\Apache2.2– Logs: c:\Apache2.2\logs ($WEB_LOG)– ServerName
– Start/Stop service using the Apache monitor in the tray
C:\Apache2.2\conf\httpd.confLine 171:
ServerName $WORKSH_HOST
58
Windows Server 2008 - Apache
• Prepare test application
• Create index.html file
$ mkdir C:\htdocs\secure
<html><head><title>redirect</title><meta http-equiv="REFRESH" content="0;url=/Shibboleth.sso/Session"></head></html>
59
Windows Server 2008 – Apache - SSL
• Restart Apache2.2 via the tray
c:\Apache2.2\conf\extra\httpd-ssl.conf
$ openssl s_client –connect localhost:443
SSLCertificateFile c:/pki/$WORKSH_HOST.pemSSLCertificateKeyFile c:/pki/$WORKSH_HOST.keySSLCertificateChainFile c:/pki/terenasslchain.crt
c:\Apache2.2\conf\httpd.conf
LoadModule ssl_module modules/mod_ssl.so[..]Include conf/extra/httpd-ssl.conf#Include c:/opt/shibboleth-sp/etc/shibboleth/apache22.config
60
Windows Server 2008 - IIS
• IIS – Server Manager:
Add Web Server (IIS) Role with• ASP.NET• ASP• IIS 6 Management compatibility• ISAPI filter• ISAPI extensions• IIS Management console• IIS Management Scripts and Tools (Powershell)
– Documents: c:\inetpub\wwwroot\ ($DOCROOT)
$ net start w3svc
61
Windows Server 2008 - IIS
• Prepare test application
• Create Default.asp file
$ mkdir C:\inetpub\wwwroot\secure
<%Response.Redirect "/Shibboleth.sso/Session"%>
62
Windows Server 2008 – IIS - SSL
• Import certificate
• Or use MMC Certificate snap-in
$ certutil –p changeit –importpfx c:\pki\$WORKSH_HOST.p12
$ Get-ChildItem cert:\LocalMachine\My
63
Windows Server 2008 – IIS - SSL
• Configure IISRight click website Edit bindings
64
Windows Server 2008 – IIS - SSL
• Add..
• Select SSL certificate
• Result
65
Shibboleth SP installation
• Certificates
• Done by RPM after installation
$ cd /etc/yum.repos.d$ wget http://download.opensuse.org/repositories/security://shibboleth/RHEL_5/security:shibboleth.repo
$ yum install shibboleth[.x86_64](Accept GPG key 0x7D0A1B3D)
/etc/httpd/conf.d/shib.conf/etc/rc.d/init.d/shibd
$ cp $PKI/sp-rh-N-cert.pem $SHIB_CONF/sp-cert.pem$ cp $PKI/sp-rh-N-key.pem $SHIB_CONF/sp-key.pem$ service shibd start
66
Shibboleth SP installation
$ cd /etc/apt/sources.list.d/$ vim lenny-backports.list
deb http://www.backports.org/debian lenny-backports main contrib non-free
$ apt-get update$ apt-get install debian-backports-keyring$ apt-get update
$ apt-get -t lenny-backports install libapache2-mod-shib2
$ cp $PKI/sp-db-N-cert.pem $SHIB_CONF/sp-cert.pem$ cp $PKI/sp-db-N-key.pem $SHIB_CONF/sp-key.pem$ chown _shibd $SHIB_CONF/sp-key.pem
67
Shibboleth SP installation
• Configuration files provided by deb packages
• Create/etc/apache2/mods-available/shib2.conf
/etc/apache2/mods-available/shib2.load/etc/init.d/shibd
<Location /secure>AuthType shibbolethrequire shibboleth</Location>
$ a2enmod shib2$ /etc/init.d/shibd restart$ /etc/init.d/apache2 restart
68
Shibboleth SP installation
• Download MSI packet fromhttp://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/
• Run shibboleth-sp-2.3.1-win32.msi
69
Shibboleth SP installation
70
Shibboleth SP installation
71
Shibboleth SP installation
72
Shibboleth SP installation
73
Shibboleth SP installation
74
Shibboleth SP installation
75
Shibboleth SP installation
• After installation it is better to restart the OS• Copy the self-signed keypair
• Restart Shibboleth service
$ copy $PKI/sp-w8-N-cert.pem $SHIB_CONF/sp-cert.pem$ copy $PKI/sp-w8-N-key.pem $SHIB_CONF/sp-key.pem
76
Sanity checks
• Shibboleth ISAPI filter must be the first in the ‘ordered list’
77
Sanity checks
• Access Shibboleth handler from your browserhttps://$WORKSH_HOST/Shibboleth.sso
• Access session handler from your browserhttps://$WORKSH_HOST/Shibboleth.sso/Session A valid session was not found.
• See how a Shibboleth error looks likehttps://$WORKSH_HOST/Shibboleth.sso/Foo
78
Program
• Introduction: “What is Shibboleth?”• Shibboleth 2.x: “What has changed?”• Concept of Federation• Resource Registry• A word on ADFS• Installation• Bootstrapping SP• Configuration
79
Bootstrapping the SP
Goals:
1. Working SP against a single IdP
2. Enable debugging of session attributes
3. Avoid clock complaints
80
Bootstrapping the SP
• Choose your entityID
https://$WORKSH_HOST
• Should be:– Unique– Locally scoped– Logical representative – Unchanging
• Seen on the wire, configuration files, metadata, log files, etc
81
Bootstrapping the SP
• Relax some requirements, set your entityID and default IdP entityID$SHIB_CONF/shibboleth2.xml
logger="syslog.logger" clockSkew="1800000">
<ApplicationDefaults id="default" policyId="default" entityID="https://$WORKSH_HOST”
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID=“https://worksh-idp.cc.kuleuven.be"
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<Host name=“$WORKSH_HOST“ redirectToSSL="443">
82
Bootstrapping the SP
• Provide metadata remotely from test IdP$SHIB_CONF/shibboleth2.xml
• Backup at $SHIB_RUN
Uncomment whole <MetadataProvider>Comment <MetadataFilter>• Normally: Provide your SP’s metadata to IdP
But, already done for you :-)– Metadata self-generated by your Service Provider
https://$WORKSH_HOST/Shibboleth.sso/Metadata
<MetadataProvider type="Chaining"><MetadataProvider type="XML" uri="https://worksh-idp.cc.kuleuven.be/idp-metadata.xml" backingFilePath="idp-metadata.xml" reloadInterval="3600"/>
83
Bootstrapping the SP
• For IIS:• Get site id (Run powershell as Administrator)
• Set correct site ID and name
<InProcess logger="native.logger"> <ISAPI normalizeRequest="true" safeHeaderNames="true"> <Site id="1" name=“$WORKSH_HOST"/>
$ Import-Module WebAdministration$ dir IIS:\Sites
85
Bootstrapping the SP – Quick test
• Make sure configuration works
Service Provider reloads shibboleth2.xml automatically when it changes
• Try it with a browserhttps://$WORKSH_HOST/secure/
/secure/ is protected by shibboleth2.xml (<RequestMap>)Login with shibN / P@ssw0rd
• Get session informationhttps://$WORKSH_HOST/Shibboleth.sso/Session(you should see various attributes)
$ shibd –tc $SHIB_CONF/shibboleth2.xml
WIN$ shibd –check $SHIB_CONF/shibboleth2.xml
86
Bootstrapping SP - Logout
• Local logouthttps://$WORKSH_HOST/Shibboleth.sso/Logout
This won’t delete your session on the IdP!• Close the browser in order to remove ALL your session
cookies• Or delete session cookies using the browser or an
extension, e.g.: Firefox Web Developer extension
87
Bootstrapping SP – Discovery Service
• Change the default SessionInitiator$SHIB_CONF/shibboleth2.xml
• Try again https://$WORKSH_HOST/secure/
<SessionInitiator type="Chaining" Location="/Login" isDefault="false" id="Intranet" relayState="cookie"
<SessionInitiator type="Chaining" Location="/DS" id="DS" relayState="cookie" isDefault="true">
[…] <SessionInitiator type="SAMLDS"
URL="https://wayf.associatie.kuleuven.be/shibboleth-wayf/WAYF"/></SessionInitiator>
88
Program
• Introduction: “What is Shibboleth?”• Shibboleth 2.x: “What has changed?”• Concept of Federation• Resource Registry• A word on ADFS• Installation• Bootstrapping SP• Configuration
89
Configuration
• Basic configuration• Attribute handling• Session Initiation• Access control• Adding a separate application• Service provider handlers• Session Initiators/Discovery
90
Basic configuration
Goals:
1. Understand purpose and structure of SP configuration files
2. Increase log level to DEBUG
3. Configure metadata and add signature verification
91
Important directories
• $SHIB_CONF– Master and supporting configuration files– Locally maintained metadata files– HTML templates (customize them to adapt look&feel to your
application)– Logging configuration files (*.logger)– Credentials (certificates and private keys)
• $SHIB_RUN– UNIX socket– Remotely fetched files (metadata, attribute-map)
• $SHIB_LOG– shibd.log & transaction.log
• $WEB_LOG (written by Shibboleth module/ISAPI filter)– native.log
92
Configuration files in $SHIB_CONF
• shibboleth2.xml – main configuration file• apache*.config – Apache module loading• attribute-map.xml – attribute handling• attribute-policy.xml – attribute filtering settings• *.logger – logging configuration• *Error.html – HTML templates for error messages• localLogout.html – SP-only logout template• globalLogout.html – single logout template
Recommendation: Adapting *.html files to match the look & feel of the protected application improves user experience.
93
shibboleth2.xml structure
Outer elements of the shibboleth2.xml configuration file
<OutOfProcess> / <InProcess><UnixListener> / <TCPListener>
<StorageService><SessionCache><ReplayCache><ArtifactMap>
<RequestMapper> Needed for session initiation and access control
<ApplicationDefaults> Contains the most important settings of your SP
<SecurityPolicies>
94
ApplicationDefaults structure
You are most likely to change something in here:• <ApplicationDefaults>
– <Sessions> Defines handlers and how sessions are initiated and managed– <Errors> Used to display error messages. Provide here logo, e-mail and CSS– <RelyingParty> (*) To modify settings for certain IdPs/federations– <MetadataProvider> Defines the metadata to be used by the SP – <TrustEngine> Which mechanisms to use for signatures validation– <AttributeExtractor> Attribute map file to use– <AttributeResolver> Attribute resolver file to use– <AttributeFilter> Attribute filter file to use– <CredentialResolver> Defines certificate and private key to be use – <ApplicationOverride> (*) Can override any of the above for certain
applications
95
Logging
• First thing to do in case of problems
• shibd.log and transaction.log written by shibd,native.log written by Shibboleth module/filter
• *.logger files contain predefined settings for output location and default logging level (INFO) along with useful categories to raise to DEBUG
• Log time is in UTC (~GMT)
96
Logging
• Raise categories
• To implement *.logger changed:
• Try again https://$WORKSH_HOST/secure/
$ vim $SHIB_CONF/shibd.logger
log4j.rootCategory=DEBUG, shibd_log
$ touch shibboleth2.xml$ tail –f /var/log/shibboleth/shibd.log
97
Metadata features
• Metadata describes the other components (IdPs) that the Service Provider can communicate with
• Four primary methods built-in:– Local file (you manage it)– Remote file (periodic refresh, local backup)– Dynamic resolution of entityID (=URL)– "Null" source that disables security (“OpenID” model)
• Security comes from metadata filtering, either by you or the SP:– Signature verification– White and blacklists
98
Signature verification
• The Test IdPs metadata is signed. Until now, it was loaded without checking, which is not secure and not recommended!
• First, increase security:$SHIB_CONF/shibboleth2.xml
Uncomment MetadataFilter for signature verification:
<MetadataProvider type="XML” […] uri=“https://worksh-idp.cc.kuleuven.be/idp-metadata.xml”> <MetadataFilter type="Signature“ certificate="sp-cert.pem"/></MetadataProvider>
99
Signature verification
• Run•
… and in the output you will see:
WARN OpenSAML.MetadataFilter.Signature [3]: filtering out group at root of instance after failed signature check:
ERROR OpenSAML.Metadata.Chaining [3]: failure initializing MetadataProvider: SignatureMetadataFilter unable to verify signature at root of metadata instance.
• Metadata could not be loaded because it was signed with a different key (we “broke” the setup). So, let’s get the right key…
$ shibd –tc $SHIB_CONF/shibboleth2.xmlWIN$ shibd –check $SHIB_CONF\shibboleth2.xml
100
Signature verification
• Get certificate from IdP:
• Then fix it:$SHIB_CONF/shibboleth2.xml
• Run again
$ cd $SHIB_CONF$ wget https://worksh-idp.cc.kuleuven.be/worksh-idp.cc.kuleuven.be.pem
<MetadataProvider type="XML” […] > <MetadataFilter type="Signature“ certificate=“worksh-idp.cc.kuleuven.be.pem"/>
</MetadataProvider>
$ shibd –tc $SHIB_CONF/shibboleth2.xmlWIN$ shibd –check $SHIB_CONF\shibboleth2.xml
101
Configuration
• Basic configuration• Attribute handling• Session Initiation• Access control• Adding a separate application• Service provider handlers• Session Initiators/Discovery
102
Attribute handling
Goals:
1. Understand how attributes are transported
2. Learn how attributes are mapped and filtered
3. See how attributes can be used as identifiers
4. Add an attribute mapping and filtering rule
103
SP attribute terminology
• PushDelivering attributes with SSO assertion via web browser
• PullQuerying for attributes after SSO via back-channel (SP -> IdP)
• ExtractionDecoding SAML information into neutral data structures mapped to environment or header variables
• FilteringBlocking invalid, unexpected, or unauthorized values based on application or community criteria
• ResolutionResolving a SSO assertion into a set of additional attributes (e.g. queries)
104
Scoped attributes
• Common term for attributes that consist of a relation between a value and a scope, usually an organizational domain name
E.g. affiliation = “[email protected]”
• Makes values globally usable or unique
• Lots of special treatment in Shibboleth to make them more useful and "safe"
• Alternatively, split value and scope into separate attributes: affiliation=“student” and homeOrganization=“kuleuven.be”
105
Attribute mappings
• SAML attributes from any source are "extracted" using the configuration rules in /etc/shibboleth/attribute-map.xml
• Each element is a rule for decoding a SAML attribute and assigning it a local id which becomes its mapped variable name
• Attributes can have one or more id and multiple attributes can be mapped to the same id
• The id can also be used as header name in the webserver for this attribute
106
Dissecting an Advanced Attribute Rule
• idThe primary "id" to map into, also used in web server environment
• aliasesOptional alternate names to map into
• nameSAML attribute name or NameID format to map from
• AttributeDecoder xsi:typeDecoder plugin to use (defaults to simple/string)
• caseSensitiveHow to compare values at runtime (defaults to true)
<Attribute id="affiliation" aliases="aff affil" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"> <AttributeDecoder xsi:type="ScopedAttributeDecoder"
caseSensitive="false"/></Attribute>
https://spaces.internet2.edu/display/SHIB2/NativeSPAttributeExtractor
107
Adding attribute mappings
• Add first and lastname SAML 2 attribute mappings:$SHIB_CONF/attribute-map.xml
• After saving, changes take effect immediately but NOT for any existing sessions
• Therefore, restart your browser (or delete your session cookies) and continue on next slide …
<Attribute name="urn:oid:2.5.4.4" id="sn” aliases=“surname”/><Attribute name="urn:oid:2.5.4.42" id="givenName"/>
108
K.U.Leuven attribute mappings
• Attribute-map made compatible with 1.3 naming conventions$SHIB_CONF/shibboleth2.xml
<!– <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/> --><AttributeExtractor type="XML" uri="https://shib.kuleuven.be/download/sp/2.x/attribute-map.xml" backingFilePath="attribute-map.xml" reloadInterval="7200"/>
109
Common identifiers
• Local userid/netid/uid (“intranet userid”), e.g. “u1234567”Usually readable, persistent but not permanent, often reassigned, not unique
• email address, e.g. [email protected] readable, persistent but not permanent, often reassigned, unique
• eduPersonPrincipalName, e.g. [email protected] readable, persistent but not permanent, can be reassigned, unique
• eduPersonTargetedID / SAML 2.0 persistent IDNot readable, semi-permanent, not reassigned, unique
110
Common identifiers
Legacy attribute placeholder for the SAML 2.0 persistent NameID format:
– opaque– pairwise (IdP/SP)– original motivation was privacy, but strongest features are lack
of reassignment and immunity to name changes
In web server environment, persistentId= https://worksh-idp.cc.kuleuven.be!https://worksh-rh-1.cc.kuleuven.be!stringupto256chars
<saml:NameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"NameQualifier="https://worksh-idp.cc.kuleuven.be"SPNameQualifier="https://worksh-rh-1.cc.kuleuven.be">
stringupto256chars</saml:NameID>
111
REMOTE_USER
• Special single-valued variable that all web applications should support for container-managed authentication of a unique user.
• Any attribute, once extracted/mapped, can be copied to REMOTE_USER
• Multiple attributes can be examined in order of preference, but only the first value will be used.
• IIS doesn’t support to set the REMOTE_USER• https://spaces.internet2.edu/display/SHIB2/NativeSPAttributeAccess
112
Changing REMOTE_USER
• In case your application needs to have a remote user for authentication, you just could make Shibboleth put an attribute (e.g. ”sn”) as REMOTE_USER:$SHIB_CONF/shibboleth2.xml
• REMOTE_USER=”sn eppn persistent-id targeted-id"
• If sn attribute is available, it will be put into REMOTE_USER
• Attribute sn has precedence over eppn in this case
• This allows very easy “shibbolization” of some web applications
113
Attribute filtering
• Answers the "who can say what" question on behalf of an application
• Service Provider can make sure that only allowed attributes and values are made available to application
• Some examples:– constraining the possible values or value ranges of an attribute
(e.g. eduPersonAffiliation, telephoneNumber, ....)– limiting the scopes/domains an IdP can speak for
(e.g. university x cannot assert [email protected])– limiting custom attributes to particular sources
114
Default filter policy
• As default, attributes are filtered out unless there is a rule!
• Shared rule for legal affiliation values
• Shared rule for scoped attributes
• Generic policy applying those rules and letting all other attributes through.
• Check $SHIB_LOG/shibd.log for signs of filtering in case of problems with attributes not being available.You would find something like “no rule found, removing all values of attribute (#attribute name#)“
https://spaces.internet2.edu/display/SHIB2/AFPAttributeFilterPolicy
115
Configuration
• Basic configuration• Attribute handling• Session Initiation• Access control• Adding a separate application• Service provider handlers• Session Initiators/Discovery
116
Session initiation
Goals:1. Learn how to initiate a Shibboleth session
2. Understand their advantages and disadvantages
3. Know where to require a session, what to protect
117
Content protection and session initiation
• Before access control (will be covered later on) can occur, a Shibboleth session must be initiated
• Session initiation and content protection go hand in hand
• Requiring a session means the user has to authenticate
• Only authenticated users can access protected content
118
Content protection settings
Protect hosts, directories, files or queries
• Apache.htaccess (dynamic) or httpd.conf (static)
• Apache / IIS / otherRequestMap
Requires Shibboleth to know exact hostnameVery powerful and flexible thanks to boolean/regex operations
• Try accessing https://$WORKSH_HOST/You should get access because the directory is not protected
https://spaces.internet2.edu/display/SHIB2/NativeSPAccessControl
119
Content protection with .htaccess
• Prepare webserver (<Directory name=“$DOCROOT”>)
• Let’s protect the directory by requiring a Shibboleth session:
Synonym for the last line (used in Shibboleth 1.3):
ShibRequireSession On
https://spaces.internet2.edu/display/SHIB2/NativeSPAccessControl
AllowOverride AuthConfig
$ mkdir $DOCROOT/secure2$ vim $DOCROOT/secure2/.htaccess
AuthType shibbolethrequire shibbolethShibRequestSetting requireSession 1
120
Test content protection rule
• Clear session and then access https://$WORKSH_HOST/secure2
• Authentication is enforced and access should be granted
• By now, all authenticated users get access
• Content protection with authorization will be covered later
121
Content protection with RequestMap
$SHIB_CONF/shibboleth2.xml
• Module (mod_shib or ISAPI filter) provides request URL to shibd to process it
• Clearing session and then accessing /secure2/ now, one also is forced to authenticate
$ vim $DOCROOT/secure2/.htaccess
AuthType shibbolethrequire shibboleth
<Host name=“$WORKSH_HOST” redirectToSSL=“443”><Path name=“secure2” authType=“shibboleth” requireSession=“true”/>
</Host>
122
RequestMap “Fragility”
• By default, Apache "trusts" the user’s web browser about what the requested hostname is and reports that value internally
• To illustrate the problem, try accessing this URL:https://$IP/secure2
Script can be accessed unprotected/without a session… ?
• How to fix? Make Apache use configured ServerNamehttpd.conf
• IIS: normalizeRequesthttps://spaces.internet2.edu/display/SHIB2/NativeSPISAPI
UseCanonicalName On
123
Other content settings
• Requesting types of authentication– E.g enforce X.509 user certificate authentication
• Redirect to SSL• Custom error handling pages to use• Redirection-based error handling
– In case of an error, redirect user to custom error web page with error message/type as GET arguments
• forceAuthn– Disable Single-Sign on and force a re-authentication
• isPassive– Check whether a user has an SSO session and if he has,
automatically create a session on SP without any user interaction
• Supplying a specific IdP to use for authentication
https://spaces.internet2.edu/display/SHIB2/NativeSPContentSettings
124
Lazy Sessions
• The mode of operation so far prevents an application from running without a login.
• Two other very common cases:– Public and private access to the same resources– Separation of application and SP session
• Semantics are: if valid session exists– process it as usual (attributes in environment array,
REMOTE_USER, etc.)
But if a session does NOT exist or is invalid, ignore it and pass on control to webserver/scripts
125
Lazy Sessions example
• Construct URL
https://$WORKSH_HOST/Shibboleth.sso/Login?target=https://$WORKSH_HOST/Shibboleth.sso/Session– Shibboleth handler: https://$WORKSH_HOST/Shibboleth.sso– Session Initiator: /Login– Target location: ?target=https://$WORKSH_HOST/Shibboleth.sso/Session– Other options:
https://spaces.internet2.edu/display/SHIB2/NativeSPSessionCreationParameters
• Most parameters can come from three places, in order of precedence:– Query string parameter to Shibboleth handler– A content setting (Webserver config or RequestMap)– <SessionInitiator> element
126
Lazy Sessions example
• IIS: RequestMap entry for secure3• Save PHP/ASP script from
worksh-idp.cc.kuleuven.be: /home/shib/ShibbolethSPWorkshop/examples/lazy_session.[php|asp]
at$DOCROOT/secure3/lazy_session.[php|asp]
Access https://$WORKSH_HOST/secure3/lazy_session.[php|asp]
$ vim $DOCROOT/secure3/.htaccess
AuthType shibbolethrequire shibboleth
127
Where to require a Shibboleth session
• Whole application with “required” Shibboleth session– Easiest way to protect a set of documents– No other authentication methods possible like this
• Whole application with “lazy” Shibboleth session– Also allows for other authentication methods– Authorization can only be done in application
• Only page that sets up application session– Well-suited for dual login– Application can control session time-out– Generally the best solution
128
Configuration
• Basic configuration• Attribute handling• Session Initiation• Access control• Adding a separate application• Service provider handlers• Session Initiators/Discovery
129
Access control
Goals:
1. Create some simple access control rules
2. Get an overview about the three ways to authorize users
3. Understand their advantages and disadvantages
130
Access control
• Two implementations are provided by the SP:– .htaccess "require" rule processing– XML-based policy syntax attached to content via RequestMap
• Third option: Integrate access control into webapplication
https://spaces.internet2.edu/display/SHIB2/NativeSPAccessControl
131
Access control
1.a httpd.conf 1.b .htaccess 2. XML AccessControl
3. Application Access Control
Easy to configure Can also protect
locations or virtual files
URL Regex
Dynamic Easy to configure
Platform independent
Powerful boolean rules
URL Regex Dynamic
Very flexible and powerful with arbitrarily complex rules
URL Regex Support
Only works for Apache
Not dynamic Very limited rules
Only works for Apache
Only usable with “real” files and directories
XML editing Configuration error
can prevent SP from restarting
You have to implement it yourself
You have to maintain it yourself
+
-
132
1. Apache httpd.conf or .htaccess
• Work almost like known Apache “require” rules
• Special rules:– shibboleth (no authorization)– valid-user (require a session, but NOT identity)– user (REMOTE_USER as usual)– group (group files as usual)– authnContextClassRef, authnContextDeclRef
• Default is boolean "OR”, use ShibRequireAll for AND rule• Regular expressions supported using special syntax:
require affiliation staff
require sn bar
require mail ~ ^.*@(icts|law).kuleuven.be$
133
Side note: Aliases
• If in the attribute-map.xml file, there is a definition like:
• This allows using rules aliases in authorization rules, e.g.:
• Aliases can also be used in RequestMap
<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="Shib-EP-Affiliation" aliases="affiliation aff affil">[…]/>
require affiliation staff#instead ofrequire Shib-EP-Affiliation staff
134
1. Example .htaccess file
• Require a user to be staff member$DOCROOT/staff-only/.htaccess
• Accesshttps://$WORKSH_HOST/staff-onlywith user “staff”, access should be granted
• Try the same with “shibN” user, access should be denied
AuthType ShibbolethShibRequestSetting requireSession 1require unscoped-affiliation staff
135
1. Advanced .htaccess file
• Require a user to be a student or to have an entitlement:
Access: https://$WORKSH_HOST/toledowith user “student” and “staff”, access should be granted.
• Try again with “shibN”, access should be denied.
AuthType ShibbolethShibRequestSetting requireSession 1require unscoped-affiliation studentrequire entitlement ~ .*toledo.*
$ mkdir $DOCROOT/toledo$ vim $DOCROOT/toledo/.htaccess
136
2. XML access control
• Can be used for access control independent from web server and operating system
• XML Access control rules can be embedded inside RequestMap or can also be dynamically loaded from external file.WARNING: Can bring down entire webserver
• Same special rules as .htaccess, adds boolean operators (AND,OR,NOT)
137
2. XML access control example
• Same as previous example but now with XML access control embedded in RequestMap
AuthType Shibbolethrequire shibboleth
$ vim $DOCROOT/toledo/.htaccess
$ vim $SHIB_CONF/shibboleth2.xml
<Host name=“$WORKSH_HOST"> [..] <Path name=“toledo" authType="shibboleth" requireSession="true"> <AccessControl> <OR> <RuleRegex require="entitlement">.*toledo.*</RuleRegex> <Rule require="unscoped-affiliation">student</Rule> </OR> </AccessControl> </Path></Host>
138
3. Application managed access control
• Application can access and use Shibboleth attributes by reading them from the web server environment
• Attributes then can be used for authentication/access control/authorization
#PHP: if ($_SERVER[‘affiliation’] == ‘staff’) { grantAccess() }
#Perl:if ($ENV{‘affiliation’} == ‘staff’) { &grantAccess() }
#ASP:if (Request.ServerVariables(‘affiliation’) == ‘staff’ ){ { grantAccess() }
http://shib.kuleuven.be/download/sp/test_scripts/
139
3. Application managed access control
• Default is to use environment variables instead of HTTP headers (Apache)– Cannot be manipulated in any way from outside
• Unfortunately not all webservers support a mechanism to create custom variables within webserver (IIS,Sun/iPlanet)Solution:
AuthType shibbolethShibRequestSetting requireSession 1require shibbolethShibUseHeaders On
140
Configuration
• Basic configuration• Attribute handling• Session Initiation• Access control• Adding a separate application• Service provider handlers• Session Initiators/Discovery
141
Adding a separate (Shibboleth) application
Goals:
1. Define another application
2. Protect new application
3. Know how to configure them if necessary
142
Terminology
• Service Provider (physical)– An installation of the software on a server
• Service Provider/”Resource” (logical)– Web resources viewed externally as a unit– Each entityID identifies exactly one logical SP
• SP Application– Web resources viewed internally as a unit– Each applicationId identifies exactly one logical application– A user session is bound to exactly one application
143
Virtualization concepts
• A single physical SP can host any number of logical SPs
– A logical SP can then include any number of "applications"
– Web virtual hosting is often related but is also independent
– Applications can inherit or override default configuration
settings on a piecemeal basis
• Multiple physical SPs can also act as a single logical SP
– Clustering for load balancing and failover
144
Adding an application
• Goal: Add a second application with a different entityID living in its own virtual host
$SHIB_CONF/shibboleth2.xml
<RequestMap applicationId="default"><Host name=“$IP” applicationId="alt"/>
[..] <ApplicationOverride id="alt" entityID="https://$IP"/></ApplicationDefaults>
145
Adding an application
• For the additional application, canonical names should be turned off again (unless you use Vhosts)
httpd.conf
• Test application:https://$IP/secure
• The IdP will throw an ERROR (entityID is not trusted)Error Message: SAML 2 SSO profile is not configured for relying party 'https://10.2.4.N'
• Check logging $SHIB_LOG/shibd.log and $WEB_LOG/native.log (DEBUG)You should see the new entityID
UseCanonicalName Off
146
Adding an application
• <ApplicationOverride>Rule of thumb is that any settings you don't override inside the element will be inherited from the <ApplicationDefaults> element that surrounds the override .– Limitations:
You have to supply all the settings needed in the <Sessions> element because of the need to override the handlerURL.You do NOT have to redefine all of the handler child elements.
• The handlerURL MUST be unique for each SP and MUST map to the same applicationId
• Respect the XML sequence!
https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride
147
Clustering
• Configure multiple physical installations to share an entityID, and possibly credentials
• Configuration files often can be identical across servers that share an external hostname
• Session management:– SP itself now clusterable via ODBC or memcached– Host shibboleth service on one system
148
Configuration
• Basic configuration• Attribute handling• Session Initiation• Access control• Adding a separate application• Service provider handlers• Session Initiators/Discovery
149
Service provider handlers
Goals:
1. Understand the idea of a handler
2. Get an overview about the different types of handlers
3. Know how to configure them if necessary
150
SP handlers
• "Virtual" applications inside the SP with API access:– SessionInitiator (requests)
• E.g. /Shibboleth.sso/Login
– AssertionConsumerService (incoming SAML response)• E.g. /Shibboleth.sso/SAML/POST
– LogoutInitiator (SP signout)• E.g. /Shibboleth.sso/Logout
– SingleLogoutService (incoming SLO)– ManageNameIDService (advanced SAML)– ArtifactResolutionService (advanced SAML)– Generic (diagnostics, other useful features)
E.g. /Shibboleth.sso/Session
/Shibboleth.sso/Status /Shibboleth.sso/Metadata
https://spaces.internet2.edu/display/SHIB2/NativeSPHandler
151
SP handlers
• The URL of a handler = handlerURL + the Location of the handler.– e.g. for a virtual host testsp.example.org with handlerURL of
"/Shibboleth.sso", a handler with a Location of "/Login" will be https://testsp.example.org/Shibboleth.sso/Login
• Handlers aren’t always SSL-only, but usually should be (handlerSSL="true").
• Metadata basically consists of entityID, keys and handlers
• Handlers are never "protected" by the SP– But sometimes by IP address (e.g. with acl=“127.0.0.1”)
152
Configuration
• Basic configuration• Attribute handling• Session Initiation• Access control• Adding a separate application• Service provider handlers• Session Initiators/Discovery
153
Session initiators/Discovery
Goals:
1. Understand the concepts of discovery/session initiation
2. Chains and protocol precedence
3. Overview about various discovery mechanisms
154
Session initiators / Discovery concepts
• Session initiatorHandler that created a SAML authN request for an IdP or uses a discovery mechanism to identify the IdP
• Discovery (in Shibboleth)Identifying the IdP of a particular user
• WAYF serviceOld name in Shibboleth for a particular way to do discovery
• Handler chainSequence of handlers that share configuration and run consecutively until “something useful happen” or an error occurs
https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator
155
Intranet case
• Single IdP, multiple protocols, no discovery:
• Protocol precedence controlled by order of SessionInitiators within a chain
• Common properties defined at the top are inherited by SessionInitiators in chain
<SessionInitiator type="Chaining" Location="/Login"id="Intranet" isDefault="true" relayState="cookie"entityID="urn:mace:kuleuven.be:kulassoc:kuleuven.be">
<SessionInitiator type="SAML2" defaultACSIndex="1" template="bindingTemplate.html"/><SessionInitiator type="Shib1" defaultACSIndex="5"/>
</SessionInitiator>
156
Change protocol precedence
• Example: switch order of chain
• Still allows either protocol, but if the IdP supports Shibboleth profile of SAML1, it will be preferred
<SessionInitiator type="Chaining" Location="/Login"id="Intranet" isDefault="true" relayState="cookie"entityID="urn:mace:kuleuven.be:kulassoc:kuleuven.be">
<SessionInitiator type="Shib1" defaultACSIndex="5"/> <SessionInitiator type="SAML2" defaultACSIndex="1"
template="bindingTemplate.html"/></SessionInitiator>
157
Identity provider discovery
• Protocol SessionInitiators work when the IdP is known
• For consistency, discovery is implemented with alternate SessionInitiators that operate only when the IdP is NOT known
• A typical federated chain includes one or more "protocol" handlers followed by a single "discovery" handler at the end, like a safety net
158
Typical discovery methods
• External options:– Older WAYF model, specific to Shibboleth/SAML1, SP loses
control if a problem occurs– Newer SAMLDS model, recently standardized, supports
multiple SSO protocols and allows the SP to control the process
• Internal options:– Implemented by an application (e.g. Toledo)– Followed by a redirect with the entityID:
/Shibboleth.sso/Login?entityID=urn:mace:kuleuven.be:kulassoc:kuleuven.be
– Advanced "Cookie", "Form", and "Transform" SessionInitiators
159
Discovery service case (default)
• Multiple protocols, discovery via DS:
• Same as intranet case, but omits entityID and adds the safety net at the bottom
• Last SessionInitiator in chain tells the DS to return the user to this location with a lazy session redirect that will invoke an earlier handler (SAML2 or Shib1) in the chain
<SessionInitiator type="Chaining" Location="/DS"id=“DS" isDefault="true" relayState="cookie”>
<SessionInitiator type="SAML2" defaultACSIndex="1" template="bindingTemplate.html"/><SessionInitiator type="Shib1" defaultACSIndex="5"/>
<SessionInitiator type="SAMLDS" URL="https://wayf.associatie.kuleuven.be/shibboleth-wayf/WAYF"/></SessionInitiator>
160
External discovery/WAYF
– Easy to use– Choice can be cached in cookie– DS displays only applicable IdPs
– Loss of control, UI fidelity– Impact of errors– List of IdPs can become very long
+
-
161
Conclusions
• Introduction: “What is Shibboleth?”• Shibboleth 2.x: “What has changed?”• Concept of Federation• Resource Registry• A word on ADFS• Installation• Bootstrapping SP• Configuration