TEIN Shibboleth Training Course

Introduction to SAML/Shibboleth

at ComLabs USDI ITB, 2014-01-18

(updated version)

Identity Federation with SSO/Shibboleth technology

2

Separation of Authentication (authN) and Authorization (authZ) An IdP manages “Identity” information and authenticates users SPs refer result of authN (e.g. PW is matched) and Identity info (assertion) Federation provides “Trust” among IdPs and SPs by defining “policy”

SSO technology preserves privacy IdP sends least attributes (personal information) to SP SP should clarify list of required attributes (mandatory/optional) IdP admin can obtain agreement from users to send out attributes

IdPSP

SP

user

SP

SP

- ID- attr

- ID- attr

- ID- attr

Without separation (past) With separation

user

1st access

ID/PW (once)

assertion1st access, ID/PW

redirection

2nd access, ID/PW 2nd access

AuthN Flow by the Federation

3

Transition of Browser Screed

Success

1. Login by Fed 4. Complete Login

3. Input ID & Pass2. Select Home Org

SPIdP

(Identity Provider)

DS(Discovery Service)

SP(Service Provider)

SP(Service Provider)

SAML(Attribute)

IdP

User

TARO SUZUKITARO SUZUKI08/07

Want to DL PPV Paper In CiNii

He/She is a member of our University

Please DL

Want to DL from Science Direct as well

　 You have authned . PleaseWant to update RefWorks record Once they’ve logged

in then Single Sign On

Personal Info DB

ID & Password

Redirect to IdP

University

4

Example of Utility by EJ related SPs

4

　 You have authned . Please

Redirect to IdP, and back immediately(without entering password)

Facilitate Remote Access Improve Usability by SSO etc.

5

Search Paper Read Paper Mange Paper

SSO SSO

Example of Utility by EJ related SPs

Simply Saying

6

The Federation is Secure, scalable and easy login architecture by

using international standard protocol: SAML

IdP SP

Authentication

Attributes

Authorization

Organization Name Affiliation Opaque ID Mail Address etc.

SAML and Shibboleth

7

SAML（Security Assertion Markup Language） Standard that allows secure web domains to exchange user authn and authz data Standardized by OASIS

Shibboleth Open Source project launched by EDUCAUSE/Internet2 in 2000

http://shibboleth.net/

De facto standard in academic access management federation Widely utilized by European federations in addition to US

simpleSAMLphp mainly utilized by Nordic countries, will be the other choice

University Resource Provider

User InfoLDAP

SAMLStandard

Something like a Filter which mediates SAML message

Shibboleth is a Middleware based on SAML

Shib

bole

th Id

P

Shib

bole

th

SP

Example of SAML Assertion (1/2)

<saml2:AuthnStatement AuthnInstant="2012-06-24T17:12:05.463Z" SessionIndex="ZZZZ"> <saml2:SubjectLocality Address="150.100.253.2" /> <saml2:AuthnContext> <saml2:AuthnContextClassRef>PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute FriendlyName="eduPersonAffiliation"> <saml2:AttributeValue xsi:type="xs:string">faculty</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement></saml2:Assertion>

(continue)

8

Example of SAML Assertion (2/2)

(continued)

<saml2:Assertion ID="XXXX" IssueInstant="2012-06-24T17:23:34.237Z" Version="2.0"> <saml2:Issuer>https://idp.nii.ac.jp/idp/shibboleth</saml2:Issuer> <saml2:Subject> <saml2:EncryptedID> … </saml2:EncryptedID> <saml2:SubjectConfirmation Method="bearer"> <saml2:SubjectConfirmationData Address="150.100.253.2" InResponseTo="YYYY" NotOnOrAfter="2012-06-24T17:28:34.237Z" Recipient="https://mcus.nii.ac.jp/Shibboleth.sso/SAML2/POST" /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2012-06-24T17:23:34.237Z" NotOnOrAfter="2012-06-24T17:28:34.237Z"> <saml2:AudienceRestriction> <saml2:Audience>https://mcus.nii.ac.jp/shibboleth-sp</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions>

9

Required key feature for browsers

10

Redirection to collaborate among SP/DS/IdP HTTP redirect Javascript (automatic POST of assertion)

Cookie management Memorize session information on

Selected IdP on DS (Discovery Service) Status being authenticated on a IdP Status being authorized on an SP

Session encryption with SSL Server Certificate To protect Password and Cookies from wiretapping

Shibboleth Flow Diagram

11DS (Discovery Service) User

SP (Resource Provider)IdP (Home Org)

12

34

6 79

14

7

9

5

8

Attributes

Access ApprovedHTTPSHTTPS

You can also learn in detail at SWITCH’s web site

12

http://www.switch.ch/aai/demo/

2 types of assertion handling

13

IdP SP

User

(1)(2) (3)(4)

(5)

Assertion via Front-

channel

(1): access to SP(2): redirect to IdP(3): request for authentication(4): ID and password(5): assertion with attributes (requires Javascript)

IdP SP

User

(1)(2) (3)(4)

(5)

(6)

(7)

Assertion via Back-

channel

(1): access to SP(2): redirect to IdP(3): request for authentication(4): ID and password(5): handle for attribute request(6): request for attributes with handle(7): assertion with attributes

SAML 2.0 SAML 1.3

(Sequences on DS access omitted)

User Interactions will be eliminated by “Cookies”

14

DS (Discovery Service) User

SP (Resource Provider)IdP (Home Org)

12

34

6 79

14

7

9

5Set Cookie

Set

Cooki

e

8

Set Cookie Attributes

Access Approved

Life time of a Cookie

15

IdP selection at DS A month or longer Will be cleared after browser closed

You can choose when IdP selection (check box)

IdP session (you have been authenticated) Will be cleared after browser close (logout by close) Even if browser is not closed

Session timeout is managed by IdP Re-authentication may be required by change of IP address at client

side

SP session Will be cleared after browser close (logout by close) Clicking logout button on SP

Building Relying Party by Metadata

16

DS (Discovery Service) User

SP (Resource Provider)IdP (Home Org)

Metadata

Register Register

Distribute(download)

Distribute(download)

Effectiveness of trust framework

Number of contract can be reduced from N×M to N＋M by introducing a uniform policy

IdP

IdP

IdP

SP

SP

SP

SP

IdP

IdP

IdP

SP

SP

SP

SP

TFP

many Contracts

a Contract

Trust Framework

17

Trust Framework

Provider

Contents of Metadata (XML)

18

Federation Metadata

Signed Info

IdP Info

SP Info

・ IdP-A Info・ IdP-B Info　　・・・・・　　・・・・・

・ SP-A Info・ SP-B Info　　・・・・・　　・・・・・

・ ID of IdP-A＝ entityID・ Certificate・ Protocol・ Organization Info　　・・・・・

・ ID of SP-A＝ entityID・ Certificate・ Protocol・ Organization Info　　・・・・・

Entity Metadata (IdP)

Entity Metadata (SP)

≒ relying party

Building Relying Party by Metadata

19

Federation

DS (Discovery Service)

Repository

FederationMetadata

IdP A

SP A

IdP BIdP C

SP B SP C

Entity Metadata

Reliability of the relying party is confirmed by the singed metadata.

Relationship among modules

20

Shibboleth Daemon(shibd)

Session Initiator DS

Assertion ConsumerSAML POST

AttributeAuthorit

ySSO

Profile

AuthNEngin

eUsernamePassword

AuthN

Form

Tomcat

IdP SP

Apache/ IIS

AttributeDB

AuthNDB

LDAP/AD

WebResource

Shibboleth Module(mod_shib)

Browser

https

https # .htaccessAuthType shibbolethShibRequireSession

Onrequire valid-user

(Shib 1.3)

(port numbers: 443, 4443 or 8443. It depends on each SP)

back channel

front channel

Filtering of attributes and control of authorization

21

LDAPattribute-

resolver.xmlattribute-policy.xml

relying-party.xml

shibboleth2.xml

attribute-filter.xml

Shibboleth IdP Shibboleth SP

Trust

BackingFile BackingFile

repository

attribute-map.xml

httpd

SAML

WebApp

Env. Val.

http.conf.htaccess

AccessControl

handler.xml

login.config

Control of attribute release

22

Name (abbreviation) Description

OrganizationName (o) English name of the organization

jaOrganizationName (jao) Japanese name of the organization

OrganizationalUnit (ou) English name of a unit in the organization

jaOrganizationalUnit (jaou) Japanese name of a unit in the organization

eduPersonPrincipalName (eppn) Uniquely identifies an entity in GakuNin

eduPersonTargetedID A pseudonym of an entity in GakuNin

eduPersonAffiliation Staff, Faculty, Student, Member

eduPersonScopedAffiliation Staff, Faculty, Student, Member with scope

eduPersonEntitlement Qualification to use a specific application

SurName (sn) Surname in English

jaSurName (jasn) Surname in Japanese

givenName Given name in English

jaGivenName Given name in Japanese

displayName Displayed name in English

jaDisplayName Displayed name in Japanese

mail E-mail address

gakuninScopedPersonalUniqueCode Student or faculty, staff number with scope

Attributes managed by an IdP Released attributes are different among SPs

SP-A (2 attr.s required)eppn (mandatory)eduPersonAffiliation (optional)

SP-B (1 attr. required)eduPersonAffiliation (mandatory)

SP-C (2 attr.s required)

eduPersonTargetedID (mandatory)

eduPersonEntitlementeduPersonScopedAffiliation(one of them is mandatory)

3 types of access on privacy

23

Anonymous Any identifier is not sent Fit for e-Journals (a member (of a department) of the

organization can access)

Autonymous eduPersonPrincipalName is sent

Unique identifier shared by all SPs (globally unique) Similar to e-mail address

Pseudonymous eduPersonTargetedID is sent [hash(ePPN, entityID of SP)]

Persistent unique identifier to each SP To avoid correlation of user activities among SPs

Environment of this training course

24

idp.examlpe.asia sp.example.asia

VirtualBox

VM - CentOS VM - CentOSHost OSWindows / Mac

browser“Host-only” network to communicate each other

“NAT” network to access the Internet

Internet

No DS (Discovery Service) provided Use /etc/hosts instead of DNS

LDAPsp2.example.asiaVM - CentOS

copy

Exercises after installation (1)(Control of Attribute release on IdP)

25

1. Configure not to send out any attributes to all SPs. 2. Configure to send out only “eduPersonTargetedID”

and “eduPersonPrincipalName” to all SP.3. Configure to send out only “eduPersonTargetedID”

for an SP.4. Configure to send out “admin” as a value of

“eduPersonEntitlement” for a user. Ref.: https://wiki.shibboleth.net/confluence/x/GoBC

5. Configure to filter values on “eduPersonEntitlement” to send out only a specific value for an SP.

Ref.: https://wiki.shibboleth.net/confluence/x/84BC

Exercises after installation (2)(Control of Attributes received by SP)

26

1. Configure to filter out all attributes received at an SP.

2. Configure on an IdP to send out multiple values on “eduPersonEntitlement”, then configure on an SP to filter them except one value

3. Configure on an IdP to send out a new attribute named “trainingTestAttribute”, then on an SP to receive it.

Exercises after installation (3)(Access Management on SP)

27

1. Confirm that password will not be required when you access to a second SP (SSO)

2. Authorize who are “staff” with “eduPersonAffiliation”

3. Authorize when “test” is included in “eduPersonEntitlement”

4. LazySession feature Ref.: https://wiki.shibboleth.net/confluence/x/bYFC

5. ForceAuthentication (forceAuthn) feature Ref.: https://wiki.shibboleth.net/confluence/x/SIBC

6. PassiveAuthentication (isPassive) feature Ref.: https://wiki.shibboleth.net/confluence/x/SIBC