View
5
Download
0
Category
Preview:
Citation preview
Shibboleth IdP Training
11 June 2015 Zurich
Handouts
Table of Contents Slide Set Topic Page 1 Shibboleth IdP Version 3 Upgrade 1 2 Test of the VM Images 4 3 Configuration Pattern 10 4 User Authentication 15 5 Login Form Customization 23 6 Attribute Resolution 34 7 Persistent IDs 42 8 User Consent 46 9 Upgrades within Version 3 59 10 Updating the Home Organisation Description 62 11 Clustering IdPs 69 12 Resource Registry 78 13 - Interfederation via eduGAIN 79 14 - Entity Categories 83 15 - Attribute Release Configuration 88 16 Overview of Log Files 90 17 Reloading the Configuration 95 18 New Challenges with Interfederation SPs 99
Separate handouts for Essential Linux commands Tips and Tricks for Hands-On Session Test Users on your Identity Provider Important Directories
Shibboleth IdP Version 3 Upgrade General observations
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull IdP version 200 released in March 2008ndash followed by 4 minor releases and 18 patch releases (current is 244)
bull IdP version 3 the first major release after ~7 yearsndash 300 December 2014 only very sparse documentation in the Wikindash 310311 March 2015 now being deployed for production use
documentation considerably improved in Q1Q2 2015
bull a good opportunity to start with a fresh environmentndash requires Java 7 or later and Servlet API 30 supportndash best run on an platform with an expected lifetime of 5+ years
bull do not consider an in-place upgrade of your IdP v2deploymentndash even if the Shibboleth installer claims supporting this to some extent
IdP V3 a new milestone
2
Page 1
copy 2015 SWITCH
bull rely on an OS with long-term support (5+ years) bull use the same Linux distribution one from the same family
which your organization is already using for other services bull the SWITCH deployment guide has been rewritten to cover
bull Ubuntu Server 1404 LTS released in April 2014 supported through April 2019
bull Red Hat Enterprise Linux 7 CentOS 7 released in June 2014 supported through June 2024
bull Debian is no longer covered in the SWITCH guide bull very similar to Ubuntu though (in case you have strong feelings about
staying with Debian)
Operating system recommendations
3
copy 2015 SWITCH
bull rely on the operating systemrsquos default Java version ndash for both Ubuntu 1404 and RHEL 7 this is OpenJDK 7 ndash Java 8 has potential pitfalls with scripted attributes (RhinoNashorn
engine incompatibilities) so better stay with Java 7 for the time being
bull use a Java Servlet container which is provided in the form of a package supported by the OS vendor ndash Tomcat 7 is the primary container for both supported OSes ndash you donrsquot have to bother about manually applying security patches
for the Servlet container
bull run Apache httpd in front of the Servlet container ndash flexible configuration of the TLS endpoints for the IdP ndash mod_proxy_ajp has proven robust with the IdP v2 in the past
Java and Webapp environment
4
Page 2
copy 2015 SWITCH
bull the IdP requires a relational database for storing persistent identifiers and user consent data
bull for a single-instance IdP install an SQL database which is packaged by the OS vendor
bull starting with the IdP v3 deployment guide and when installed on the same system as the IdP SWITCH is favoring PostgreSQL ndash PostgreSQL has a long track record of close SQL standards compliance ndash MariaDB 55 (community-developed source fork of MySQL) would also
be available as a vendor-supplied package but for Ubuntu only in the ldquouniverserdquo component ndash ie without official support for security updates
bull your favorite RDBMS can be used as well of course ndash a JDBC connector is almost all it takes ndash in particular for clusters other RDBMSes might be better fits
Persistent ID and user consent storage
5
copy 2015 SWITCH
bull etchosts is your friend bull Set up the IdP v3 on a completely new system bull retain the existing entity ID SAML endpoints and the
SAML certificate bull with SAML 2 most IdP traffic is now front channel
ndash straightforward testing possible by simple edits of your hosts file 192023 aai-loginexampleorg
bull for back-channel testing a temporary change to an SPrsquos hosts file can be an option
Testing strategy
6
Page 3
Test of the VM Images Boot VM image and test network connectivity
SWITCHaai Team aaiswitchch
copy 2015 SWITCH 2
General Information
Course material is adapted for use in SWITCHaai
Course material will be published online Check httpswwwswitchchaaidocstraining
If you see this on a slide hands-on work is required
Page 4
copy 2015 SWITCH 3
Boot up the image 1 Open SWITCH-Shibboleth-Trainingvbox in Virtual Box
2 Start the virtual machine (VM)
3 After login Firefox will open automatically Ensure that it displays this page If you dont see this message contact an assistant
copy 2015 SWITCH 4
VM Operating System Environment
Ubuntu 14042 LTS Virtual BoxVMWare VDK image User idp-admin Password password (in sudoers list)
Apache 2 on ports 80 (http) and 443 (https)
Self-signed SSL web server certificate
Shibboleth Identity Provider 3 is installed and configured according to SWITCHaai Deployment guide Network connectivity needed to ldap-test[1|2]aaiswitchch
Relevant Hostname Same name for all participants aai-loginexampleorg
Page 5
copy 2015 SWITCH 5
Test AAI Login with Demo Service Provider
1 In Firefox open aai-demoswitchch (or click on bookmark) 2 Click on Any authenticated user 3 Select the Example Organisation 4 Log in using a test user (eg student1 password1)
copy 2015 SWITCH 6
Essential Commands for Linux DOS Command Linux Command dir ls -l
cd ltdirectorygt cd ltdirectorygt
mkdir or md ltdirectorygt mkdir ltdirectorygt
rmdir or rd ltdirectorygt rmdir ltdirectorygt
chdir pwd
del or erase ltfilegt rm ltfilegt
copy and xcopy ltfilegt cp and cp ndashR ltfilegt find or findstr ltfilegt grep ltstringgt ltfilegt
comp ltfile1gt ltfile2gt diff ltfile1gt ltfile2gt
edit ltfilegt nano or vim or emacs ltfilegt ping lthostgt ping lthostgt
reboot reboot
Page 6
copy 2015 SWITCH
File Editing Commands for Terminal Editor
Editor nano vim
Open file $ nano ltfilegt $ vim ltfilegt
Save file ltctrlgt-o ltescgt w
Save and exit
ltctrlgt-x ltescgt wq
Search string
ltctrlgt-w string ltescgt string
Go to line number
ltctrlgt-- number ltescgt number ltshiftgt-G
gedit is the recommended text editor Is started as root user Its icon is in the launch bar on the left side of the desktop
copy 2015 SWITCH 8
Tips and Tricks for Hands-On Session
The user and root password for the VM is password
Lines starting with $ are commands to be executed
Command should be executed as root user Happens automatically if Terminal is opened or if text editor is used
Character is line break symbol which allows to break a line when typed
Watch out for invalid XMLconfiguration errors Consult Debugging handout for hints to resolve problems
Page 7
copy 2015 SWITCH 9
More Tips and Tricks for Hands-On Session
Restart the Tomcat daemon after changes Unless otherwise mentioned
Delete session cookies after changes (or restart browser) Should not be necessary but is safer for testing
SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog
On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg
copy 2015 SWITCH 10
Test Users on your Identity Provider
Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username student2 Password password2
UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms
Page 8
copy 2015 SWITCH
Important directories
optshibboleth-idp
Identity Provider Installation directory
optshibboleth-idpconf
Configuration files optshibboleth-idplogs
Log files like idp-processlog
optshibboleth-idpcredentials X509 certificates and private keys
optshibboleth-idpedit-webapp Changes for web application that survive upgrades
11
Page 9
SWITCHaai Team aaiswitchch
Configuration Pattern
Get used to Spring Beans and Properties
copy 2015 SWITCH
Whats that
2
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt
Page 10
copy 2015 SWITCH
Configuration Pattern of IdPv3
bull The IdPv3 configuration builds upon the Spring Framework bull Configuration is located in XML files bull There are a lot of wired beans
bull The whole configuration follows the same pattern bull With some few exceptions
bull Wonderfully flexible way to configure components but quite complicated for deployers
3
copy 2015 SWITCH
Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)
4
Page 11
copy 2015 SWITCH
Understanding Beans and Properties
bull The whole configuration of the IdP is specified by alot of beans
bull For convenience the essential configuration can bespecified by properties stored in properties files
bull Still from time to time you will need to directly modifybeans or create new ones
bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts
5
copy 2015 SWITCH
Examples of Properties
Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties
LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull Each line consists of a pair of a key and a valuebull Comment lines start with an character
6
Page 12
copy 2015 SWITCH
Examples of Beans
bull Each bean has some name (id) bull Each bean has some type (class) bull Attributes (parameters) specify the beans configuration bull Beans can refer to other beans (wiring)
7
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
Configuration file optshibboleth-idpconfauthnldap-authn-configxml
copy 2015 SWITCH
Examples of Beans bull There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8
Page 13
copy 2015 SWITCH
References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull Configuration
httpswikishibbolethnetconfluencedisplayIDP30Configuration bull Spring Configuration
httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration
9
Page 14
SWITCHaai Team aaiswitchch
User Authentication How to do it the v3 way
IdP
copy 2015 SWITCH
From Login Handlers to Login Flows bull v2 uses Login Handlers
bull Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)
bull Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))
bull v3 uses Login Flows (also called Authentication Flows) bull Typicaldefault setup Password login flow
bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)
bull Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development
2
Page 15
copy 2015 SWITCH
Login Flows
3
Shibboleth IdP
RemoteUser Authentication Flow
SAML Request
SAML Response
Authentication Engine Selects suitable flow and executes it
X509 Authentication Flow
Password Authentication Flow
copy 2015 SWITCH
Login Flows bull One or several flows can be activated bull The authentication engine of the IdP selects a suitable flow
depending on several criteria bull Does the SP request a specific authentication context type bull Does the SP request forced authentication bull Does the SP request passive authentication
bull In practice most deployments will use the Password login flow as the only one
bull ECP is supported out-of-the-box by the Password login flow No special configuration is required bull But Client must support ECP appropriately
4
Page 16
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Table of Contents Slide Set Topic Page 1 Shibboleth IdP Version 3 Upgrade 1 2 Test of the VM Images 4 3 Configuration Pattern 10 4 User Authentication 15 5 Login Form Customization 23 6 Attribute Resolution 34 7 Persistent IDs 42 8 User Consent 46 9 Upgrades within Version 3 59 10 Updating the Home Organisation Description 62 11 Clustering IdPs 69 12 Resource Registry 78 13 - Interfederation via eduGAIN 79 14 - Entity Categories 83 15 - Attribute Release Configuration 88 16 Overview of Log Files 90 17 Reloading the Configuration 95 18 New Challenges with Interfederation SPs 99
Separate handouts for Essential Linux commands Tips and Tricks for Hands-On Session Test Users on your Identity Provider Important Directories
Shibboleth IdP Version 3 Upgrade General observations
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull IdP version 200 released in March 2008ndash followed by 4 minor releases and 18 patch releases (current is 244)
bull IdP version 3 the first major release after ~7 yearsndash 300 December 2014 only very sparse documentation in the Wikindash 310311 March 2015 now being deployed for production use
documentation considerably improved in Q1Q2 2015
bull a good opportunity to start with a fresh environmentndash requires Java 7 or later and Servlet API 30 supportndash best run on an platform with an expected lifetime of 5+ years
bull do not consider an in-place upgrade of your IdP v2deploymentndash even if the Shibboleth installer claims supporting this to some extent
IdP V3 a new milestone
2
Page 1
copy 2015 SWITCH
bull rely on an OS with long-term support (5+ years) bull use the same Linux distribution one from the same family
which your organization is already using for other services bull the SWITCH deployment guide has been rewritten to cover
bull Ubuntu Server 1404 LTS released in April 2014 supported through April 2019
bull Red Hat Enterprise Linux 7 CentOS 7 released in June 2014 supported through June 2024
bull Debian is no longer covered in the SWITCH guide bull very similar to Ubuntu though (in case you have strong feelings about
staying with Debian)
Operating system recommendations
3
copy 2015 SWITCH
bull rely on the operating systemrsquos default Java version ndash for both Ubuntu 1404 and RHEL 7 this is OpenJDK 7 ndash Java 8 has potential pitfalls with scripted attributes (RhinoNashorn
engine incompatibilities) so better stay with Java 7 for the time being
bull use a Java Servlet container which is provided in the form of a package supported by the OS vendor ndash Tomcat 7 is the primary container for both supported OSes ndash you donrsquot have to bother about manually applying security patches
for the Servlet container
bull run Apache httpd in front of the Servlet container ndash flexible configuration of the TLS endpoints for the IdP ndash mod_proxy_ajp has proven robust with the IdP v2 in the past
Java and Webapp environment
4
Page 2
copy 2015 SWITCH
bull the IdP requires a relational database for storing persistent identifiers and user consent data
bull for a single-instance IdP install an SQL database which is packaged by the OS vendor
bull starting with the IdP v3 deployment guide and when installed on the same system as the IdP SWITCH is favoring PostgreSQL ndash PostgreSQL has a long track record of close SQL standards compliance ndash MariaDB 55 (community-developed source fork of MySQL) would also
be available as a vendor-supplied package but for Ubuntu only in the ldquouniverserdquo component ndash ie without official support for security updates
bull your favorite RDBMS can be used as well of course ndash a JDBC connector is almost all it takes ndash in particular for clusters other RDBMSes might be better fits
Persistent ID and user consent storage
5
copy 2015 SWITCH
bull etchosts is your friend bull Set up the IdP v3 on a completely new system bull retain the existing entity ID SAML endpoints and the
SAML certificate bull with SAML 2 most IdP traffic is now front channel
ndash straightforward testing possible by simple edits of your hosts file 192023 aai-loginexampleorg
bull for back-channel testing a temporary change to an SPrsquos hosts file can be an option
Testing strategy
6
Page 3
Test of the VM Images Boot VM image and test network connectivity
SWITCHaai Team aaiswitchch
copy 2015 SWITCH 2
General Information
Course material is adapted for use in SWITCHaai
Course material will be published online Check httpswwwswitchchaaidocstraining
If you see this on a slide hands-on work is required
Page 4
copy 2015 SWITCH 3
Boot up the image 1 Open SWITCH-Shibboleth-Trainingvbox in Virtual Box
2 Start the virtual machine (VM)
3 After login Firefox will open automatically Ensure that it displays this page If you dont see this message contact an assistant
copy 2015 SWITCH 4
VM Operating System Environment
Ubuntu 14042 LTS Virtual BoxVMWare VDK image User idp-admin Password password (in sudoers list)
Apache 2 on ports 80 (http) and 443 (https)
Self-signed SSL web server certificate
Shibboleth Identity Provider 3 is installed and configured according to SWITCHaai Deployment guide Network connectivity needed to ldap-test[1|2]aaiswitchch
Relevant Hostname Same name for all participants aai-loginexampleorg
Page 5
copy 2015 SWITCH 5
Test AAI Login with Demo Service Provider
1 In Firefox open aai-demoswitchch (or click on bookmark) 2 Click on Any authenticated user 3 Select the Example Organisation 4 Log in using a test user (eg student1 password1)
copy 2015 SWITCH 6
Essential Commands for Linux DOS Command Linux Command dir ls -l
cd ltdirectorygt cd ltdirectorygt
mkdir or md ltdirectorygt mkdir ltdirectorygt
rmdir or rd ltdirectorygt rmdir ltdirectorygt
chdir pwd
del or erase ltfilegt rm ltfilegt
copy and xcopy ltfilegt cp and cp ndashR ltfilegt find or findstr ltfilegt grep ltstringgt ltfilegt
comp ltfile1gt ltfile2gt diff ltfile1gt ltfile2gt
edit ltfilegt nano or vim or emacs ltfilegt ping lthostgt ping lthostgt
reboot reboot
Page 6
copy 2015 SWITCH
File Editing Commands for Terminal Editor
Editor nano vim
Open file $ nano ltfilegt $ vim ltfilegt
Save file ltctrlgt-o ltescgt w
Save and exit
ltctrlgt-x ltescgt wq
Search string
ltctrlgt-w string ltescgt string
Go to line number
ltctrlgt-- number ltescgt number ltshiftgt-G
gedit is the recommended text editor Is started as root user Its icon is in the launch bar on the left side of the desktop
copy 2015 SWITCH 8
Tips and Tricks for Hands-On Session
The user and root password for the VM is password
Lines starting with $ are commands to be executed
Command should be executed as root user Happens automatically if Terminal is opened or if text editor is used
Character is line break symbol which allows to break a line when typed
Watch out for invalid XMLconfiguration errors Consult Debugging handout for hints to resolve problems
Page 7
copy 2015 SWITCH 9
More Tips and Tricks for Hands-On Session
Restart the Tomcat daemon after changes Unless otherwise mentioned
Delete session cookies after changes (or restart browser) Should not be necessary but is safer for testing
SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog
On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg
copy 2015 SWITCH 10
Test Users on your Identity Provider
Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username student2 Password password2
UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms
Page 8
copy 2015 SWITCH
Important directories
optshibboleth-idp
Identity Provider Installation directory
optshibboleth-idpconf
Configuration files optshibboleth-idplogs
Log files like idp-processlog
optshibboleth-idpcredentials X509 certificates and private keys
optshibboleth-idpedit-webapp Changes for web application that survive upgrades
11
Page 9
SWITCHaai Team aaiswitchch
Configuration Pattern
Get used to Spring Beans and Properties
copy 2015 SWITCH
Whats that
2
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt
Page 10
copy 2015 SWITCH
Configuration Pattern of IdPv3
bull The IdPv3 configuration builds upon the Spring Framework bull Configuration is located in XML files bull There are a lot of wired beans
bull The whole configuration follows the same pattern bull With some few exceptions
bull Wonderfully flexible way to configure components but quite complicated for deployers
3
copy 2015 SWITCH
Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)
4
Page 11
copy 2015 SWITCH
Understanding Beans and Properties
bull The whole configuration of the IdP is specified by alot of beans
bull For convenience the essential configuration can bespecified by properties stored in properties files
bull Still from time to time you will need to directly modifybeans or create new ones
bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts
5
copy 2015 SWITCH
Examples of Properties
Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties
LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull Each line consists of a pair of a key and a valuebull Comment lines start with an character
6
Page 12
copy 2015 SWITCH
Examples of Beans
bull Each bean has some name (id) bull Each bean has some type (class) bull Attributes (parameters) specify the beans configuration bull Beans can refer to other beans (wiring)
7
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
Configuration file optshibboleth-idpconfauthnldap-authn-configxml
copy 2015 SWITCH
Examples of Beans bull There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8
Page 13
copy 2015 SWITCH
References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull Configuration
httpswikishibbolethnetconfluencedisplayIDP30Configuration bull Spring Configuration
httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration
9
Page 14
SWITCHaai Team aaiswitchch
User Authentication How to do it the v3 way
IdP
copy 2015 SWITCH
From Login Handlers to Login Flows bull v2 uses Login Handlers
bull Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)
bull Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))
bull v3 uses Login Flows (also called Authentication Flows) bull Typicaldefault setup Password login flow
bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)
bull Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development
2
Page 15
copy 2015 SWITCH
Login Flows
3
Shibboleth IdP
RemoteUser Authentication Flow
SAML Request
SAML Response
Authentication Engine Selects suitable flow and executes it
X509 Authentication Flow
Password Authentication Flow
copy 2015 SWITCH
Login Flows bull One or several flows can be activated bull The authentication engine of the IdP selects a suitable flow
depending on several criteria bull Does the SP request a specific authentication context type bull Does the SP request forced authentication bull Does the SP request passive authentication
bull In practice most deployments will use the Password login flow as the only one
bull ECP is supported out-of-the-box by the Password login flow No special configuration is required bull But Client must support ECP appropriately
4
Page 16
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Shibboleth IdP Version 3 Upgrade General observations
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull IdP version 200 released in March 2008ndash followed by 4 minor releases and 18 patch releases (current is 244)
bull IdP version 3 the first major release after ~7 yearsndash 300 December 2014 only very sparse documentation in the Wikindash 310311 March 2015 now being deployed for production use
documentation considerably improved in Q1Q2 2015
bull a good opportunity to start with a fresh environmentndash requires Java 7 or later and Servlet API 30 supportndash best run on an platform with an expected lifetime of 5+ years
bull do not consider an in-place upgrade of your IdP v2deploymentndash even if the Shibboleth installer claims supporting this to some extent
IdP V3 a new milestone
2
Page 1
copy 2015 SWITCH
bull rely on an OS with long-term support (5+ years) bull use the same Linux distribution one from the same family
which your organization is already using for other services bull the SWITCH deployment guide has been rewritten to cover
bull Ubuntu Server 1404 LTS released in April 2014 supported through April 2019
bull Red Hat Enterprise Linux 7 CentOS 7 released in June 2014 supported through June 2024
bull Debian is no longer covered in the SWITCH guide bull very similar to Ubuntu though (in case you have strong feelings about
staying with Debian)
Operating system recommendations
3
copy 2015 SWITCH
bull rely on the operating systemrsquos default Java version ndash for both Ubuntu 1404 and RHEL 7 this is OpenJDK 7 ndash Java 8 has potential pitfalls with scripted attributes (RhinoNashorn
engine incompatibilities) so better stay with Java 7 for the time being
bull use a Java Servlet container which is provided in the form of a package supported by the OS vendor ndash Tomcat 7 is the primary container for both supported OSes ndash you donrsquot have to bother about manually applying security patches
for the Servlet container
bull run Apache httpd in front of the Servlet container ndash flexible configuration of the TLS endpoints for the IdP ndash mod_proxy_ajp has proven robust with the IdP v2 in the past
Java and Webapp environment
4
Page 2
copy 2015 SWITCH
bull the IdP requires a relational database for storing persistent identifiers and user consent data
bull for a single-instance IdP install an SQL database which is packaged by the OS vendor
bull starting with the IdP v3 deployment guide and when installed on the same system as the IdP SWITCH is favoring PostgreSQL ndash PostgreSQL has a long track record of close SQL standards compliance ndash MariaDB 55 (community-developed source fork of MySQL) would also
be available as a vendor-supplied package but for Ubuntu only in the ldquouniverserdquo component ndash ie without official support for security updates
bull your favorite RDBMS can be used as well of course ndash a JDBC connector is almost all it takes ndash in particular for clusters other RDBMSes might be better fits
Persistent ID and user consent storage
5
copy 2015 SWITCH
bull etchosts is your friend bull Set up the IdP v3 on a completely new system bull retain the existing entity ID SAML endpoints and the
SAML certificate bull with SAML 2 most IdP traffic is now front channel
ndash straightforward testing possible by simple edits of your hosts file 192023 aai-loginexampleorg
bull for back-channel testing a temporary change to an SPrsquos hosts file can be an option
Testing strategy
6
Page 3
Test of the VM Images Boot VM image and test network connectivity
SWITCHaai Team aaiswitchch
copy 2015 SWITCH 2
General Information
Course material is adapted for use in SWITCHaai
Course material will be published online Check httpswwwswitchchaaidocstraining
If you see this on a slide hands-on work is required
Page 4
copy 2015 SWITCH 3
Boot up the image 1 Open SWITCH-Shibboleth-Trainingvbox in Virtual Box
2 Start the virtual machine (VM)
3 After login Firefox will open automatically Ensure that it displays this page If you dont see this message contact an assistant
copy 2015 SWITCH 4
VM Operating System Environment
Ubuntu 14042 LTS Virtual BoxVMWare VDK image User idp-admin Password password (in sudoers list)
Apache 2 on ports 80 (http) and 443 (https)
Self-signed SSL web server certificate
Shibboleth Identity Provider 3 is installed and configured according to SWITCHaai Deployment guide Network connectivity needed to ldap-test[1|2]aaiswitchch
Relevant Hostname Same name for all participants aai-loginexampleorg
Page 5
copy 2015 SWITCH 5
Test AAI Login with Demo Service Provider
1 In Firefox open aai-demoswitchch (or click on bookmark) 2 Click on Any authenticated user 3 Select the Example Organisation 4 Log in using a test user (eg student1 password1)
copy 2015 SWITCH 6
Essential Commands for Linux DOS Command Linux Command dir ls -l
cd ltdirectorygt cd ltdirectorygt
mkdir or md ltdirectorygt mkdir ltdirectorygt
rmdir or rd ltdirectorygt rmdir ltdirectorygt
chdir pwd
del or erase ltfilegt rm ltfilegt
copy and xcopy ltfilegt cp and cp ndashR ltfilegt find or findstr ltfilegt grep ltstringgt ltfilegt
comp ltfile1gt ltfile2gt diff ltfile1gt ltfile2gt
edit ltfilegt nano or vim or emacs ltfilegt ping lthostgt ping lthostgt
reboot reboot
Page 6
copy 2015 SWITCH
File Editing Commands for Terminal Editor
Editor nano vim
Open file $ nano ltfilegt $ vim ltfilegt
Save file ltctrlgt-o ltescgt w
Save and exit
ltctrlgt-x ltescgt wq
Search string
ltctrlgt-w string ltescgt string
Go to line number
ltctrlgt-- number ltescgt number ltshiftgt-G
gedit is the recommended text editor Is started as root user Its icon is in the launch bar on the left side of the desktop
copy 2015 SWITCH 8
Tips and Tricks for Hands-On Session
The user and root password for the VM is password
Lines starting with $ are commands to be executed
Command should be executed as root user Happens automatically if Terminal is opened or if text editor is used
Character is line break symbol which allows to break a line when typed
Watch out for invalid XMLconfiguration errors Consult Debugging handout for hints to resolve problems
Page 7
copy 2015 SWITCH 9
More Tips and Tricks for Hands-On Session
Restart the Tomcat daemon after changes Unless otherwise mentioned
Delete session cookies after changes (or restart browser) Should not be necessary but is safer for testing
SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog
On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg
copy 2015 SWITCH 10
Test Users on your Identity Provider
Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username student2 Password password2
UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms
Page 8
copy 2015 SWITCH
Important directories
optshibboleth-idp
Identity Provider Installation directory
optshibboleth-idpconf
Configuration files optshibboleth-idplogs
Log files like idp-processlog
optshibboleth-idpcredentials X509 certificates and private keys
optshibboleth-idpedit-webapp Changes for web application that survive upgrades
11
Page 9
SWITCHaai Team aaiswitchch
Configuration Pattern
Get used to Spring Beans and Properties
copy 2015 SWITCH
Whats that
2
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt
Page 10
copy 2015 SWITCH
Configuration Pattern of IdPv3
bull The IdPv3 configuration builds upon the Spring Framework bull Configuration is located in XML files bull There are a lot of wired beans
bull The whole configuration follows the same pattern bull With some few exceptions
bull Wonderfully flexible way to configure components but quite complicated for deployers
3
copy 2015 SWITCH
Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)
4
Page 11
copy 2015 SWITCH
Understanding Beans and Properties
bull The whole configuration of the IdP is specified by alot of beans
bull For convenience the essential configuration can bespecified by properties stored in properties files
bull Still from time to time you will need to directly modifybeans or create new ones
bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts
5
copy 2015 SWITCH
Examples of Properties
Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties
LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull Each line consists of a pair of a key and a valuebull Comment lines start with an character
6
Page 12
copy 2015 SWITCH
Examples of Beans
bull Each bean has some name (id) bull Each bean has some type (class) bull Attributes (parameters) specify the beans configuration bull Beans can refer to other beans (wiring)
7
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
Configuration file optshibboleth-idpconfauthnldap-authn-configxml
copy 2015 SWITCH
Examples of Beans bull There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8
Page 13
copy 2015 SWITCH
References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull Configuration
httpswikishibbolethnetconfluencedisplayIDP30Configuration bull Spring Configuration
httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration
9
Page 14
SWITCHaai Team aaiswitchch
User Authentication How to do it the v3 way
IdP
copy 2015 SWITCH
From Login Handlers to Login Flows bull v2 uses Login Handlers
bull Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)
bull Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))
bull v3 uses Login Flows (also called Authentication Flows) bull Typicaldefault setup Password login flow
bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)
bull Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development
2
Page 15
copy 2015 SWITCH
Login Flows
3
Shibboleth IdP
RemoteUser Authentication Flow
SAML Request
SAML Response
Authentication Engine Selects suitable flow and executes it
X509 Authentication Flow
Password Authentication Flow
copy 2015 SWITCH
Login Flows bull One or several flows can be activated bull The authentication engine of the IdP selects a suitable flow
depending on several criteria bull Does the SP request a specific authentication context type bull Does the SP request forced authentication bull Does the SP request passive authentication
bull In practice most deployments will use the Password login flow as the only one
bull ECP is supported out-of-the-box by the Password login flow No special configuration is required bull But Client must support ECP appropriately
4
Page 16
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
bull rely on an OS with long-term support (5+ years) bull use the same Linux distribution one from the same family
which your organization is already using for other services bull the SWITCH deployment guide has been rewritten to cover
bull Ubuntu Server 1404 LTS released in April 2014 supported through April 2019
bull Red Hat Enterprise Linux 7 CentOS 7 released in June 2014 supported through June 2024
bull Debian is no longer covered in the SWITCH guide bull very similar to Ubuntu though (in case you have strong feelings about
staying with Debian)
Operating system recommendations
3
copy 2015 SWITCH
bull rely on the operating systemrsquos default Java version ndash for both Ubuntu 1404 and RHEL 7 this is OpenJDK 7 ndash Java 8 has potential pitfalls with scripted attributes (RhinoNashorn
engine incompatibilities) so better stay with Java 7 for the time being
bull use a Java Servlet container which is provided in the form of a package supported by the OS vendor ndash Tomcat 7 is the primary container for both supported OSes ndash you donrsquot have to bother about manually applying security patches
for the Servlet container
bull run Apache httpd in front of the Servlet container ndash flexible configuration of the TLS endpoints for the IdP ndash mod_proxy_ajp has proven robust with the IdP v2 in the past
Java and Webapp environment
4
Page 2
copy 2015 SWITCH
bull the IdP requires a relational database for storing persistent identifiers and user consent data
bull for a single-instance IdP install an SQL database which is packaged by the OS vendor
bull starting with the IdP v3 deployment guide and when installed on the same system as the IdP SWITCH is favoring PostgreSQL ndash PostgreSQL has a long track record of close SQL standards compliance ndash MariaDB 55 (community-developed source fork of MySQL) would also
be available as a vendor-supplied package but for Ubuntu only in the ldquouniverserdquo component ndash ie without official support for security updates
bull your favorite RDBMS can be used as well of course ndash a JDBC connector is almost all it takes ndash in particular for clusters other RDBMSes might be better fits
Persistent ID and user consent storage
5
copy 2015 SWITCH
bull etchosts is your friend bull Set up the IdP v3 on a completely new system bull retain the existing entity ID SAML endpoints and the
SAML certificate bull with SAML 2 most IdP traffic is now front channel
ndash straightforward testing possible by simple edits of your hosts file 192023 aai-loginexampleorg
bull for back-channel testing a temporary change to an SPrsquos hosts file can be an option
Testing strategy
6
Page 3
Test of the VM Images Boot VM image and test network connectivity
SWITCHaai Team aaiswitchch
copy 2015 SWITCH 2
General Information
Course material is adapted for use in SWITCHaai
Course material will be published online Check httpswwwswitchchaaidocstraining
If you see this on a slide hands-on work is required
Page 4
copy 2015 SWITCH 3
Boot up the image 1 Open SWITCH-Shibboleth-Trainingvbox in Virtual Box
2 Start the virtual machine (VM)
3 After login Firefox will open automatically Ensure that it displays this page If you dont see this message contact an assistant
copy 2015 SWITCH 4
VM Operating System Environment
Ubuntu 14042 LTS Virtual BoxVMWare VDK image User idp-admin Password password (in sudoers list)
Apache 2 on ports 80 (http) and 443 (https)
Self-signed SSL web server certificate
Shibboleth Identity Provider 3 is installed and configured according to SWITCHaai Deployment guide Network connectivity needed to ldap-test[1|2]aaiswitchch
Relevant Hostname Same name for all participants aai-loginexampleorg
Page 5
copy 2015 SWITCH 5
Test AAI Login with Demo Service Provider
1 In Firefox open aai-demoswitchch (or click on bookmark) 2 Click on Any authenticated user 3 Select the Example Organisation 4 Log in using a test user (eg student1 password1)
copy 2015 SWITCH 6
Essential Commands for Linux DOS Command Linux Command dir ls -l
cd ltdirectorygt cd ltdirectorygt
mkdir or md ltdirectorygt mkdir ltdirectorygt
rmdir or rd ltdirectorygt rmdir ltdirectorygt
chdir pwd
del or erase ltfilegt rm ltfilegt
copy and xcopy ltfilegt cp and cp ndashR ltfilegt find or findstr ltfilegt grep ltstringgt ltfilegt
comp ltfile1gt ltfile2gt diff ltfile1gt ltfile2gt
edit ltfilegt nano or vim or emacs ltfilegt ping lthostgt ping lthostgt
reboot reboot
Page 6
copy 2015 SWITCH
File Editing Commands for Terminal Editor
Editor nano vim
Open file $ nano ltfilegt $ vim ltfilegt
Save file ltctrlgt-o ltescgt w
Save and exit
ltctrlgt-x ltescgt wq
Search string
ltctrlgt-w string ltescgt string
Go to line number
ltctrlgt-- number ltescgt number ltshiftgt-G
gedit is the recommended text editor Is started as root user Its icon is in the launch bar on the left side of the desktop
copy 2015 SWITCH 8
Tips and Tricks for Hands-On Session
The user and root password for the VM is password
Lines starting with $ are commands to be executed
Command should be executed as root user Happens automatically if Terminal is opened or if text editor is used
Character is line break symbol which allows to break a line when typed
Watch out for invalid XMLconfiguration errors Consult Debugging handout for hints to resolve problems
Page 7
copy 2015 SWITCH 9
More Tips and Tricks for Hands-On Session
Restart the Tomcat daemon after changes Unless otherwise mentioned
Delete session cookies after changes (or restart browser) Should not be necessary but is safer for testing
SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog
On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg
copy 2015 SWITCH 10
Test Users on your Identity Provider
Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username student2 Password password2
UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms
Page 8
copy 2015 SWITCH
Important directories
optshibboleth-idp
Identity Provider Installation directory
optshibboleth-idpconf
Configuration files optshibboleth-idplogs
Log files like idp-processlog
optshibboleth-idpcredentials X509 certificates and private keys
optshibboleth-idpedit-webapp Changes for web application that survive upgrades
11
Page 9
SWITCHaai Team aaiswitchch
Configuration Pattern
Get used to Spring Beans and Properties
copy 2015 SWITCH
Whats that
2
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt
Page 10
copy 2015 SWITCH
Configuration Pattern of IdPv3
bull The IdPv3 configuration builds upon the Spring Framework bull Configuration is located in XML files bull There are a lot of wired beans
bull The whole configuration follows the same pattern bull With some few exceptions
bull Wonderfully flexible way to configure components but quite complicated for deployers
3
copy 2015 SWITCH
Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)
4
Page 11
copy 2015 SWITCH
Understanding Beans and Properties
bull The whole configuration of the IdP is specified by alot of beans
bull For convenience the essential configuration can bespecified by properties stored in properties files
bull Still from time to time you will need to directly modifybeans or create new ones
bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts
5
copy 2015 SWITCH
Examples of Properties
Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties
LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull Each line consists of a pair of a key and a valuebull Comment lines start with an character
6
Page 12
copy 2015 SWITCH
Examples of Beans
bull Each bean has some name (id) bull Each bean has some type (class) bull Attributes (parameters) specify the beans configuration bull Beans can refer to other beans (wiring)
7
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
Configuration file optshibboleth-idpconfauthnldap-authn-configxml
copy 2015 SWITCH
Examples of Beans bull There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8
Page 13
copy 2015 SWITCH
References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull Configuration
httpswikishibbolethnetconfluencedisplayIDP30Configuration bull Spring Configuration
httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration
9
Page 14
SWITCHaai Team aaiswitchch
User Authentication How to do it the v3 way
IdP
copy 2015 SWITCH
From Login Handlers to Login Flows bull v2 uses Login Handlers
bull Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)
bull Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))
bull v3 uses Login Flows (also called Authentication Flows) bull Typicaldefault setup Password login flow
bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)
bull Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development
2
Page 15
copy 2015 SWITCH
Login Flows
3
Shibboleth IdP
RemoteUser Authentication Flow
SAML Request
SAML Response
Authentication Engine Selects suitable flow and executes it
X509 Authentication Flow
Password Authentication Flow
copy 2015 SWITCH
Login Flows bull One or several flows can be activated bull The authentication engine of the IdP selects a suitable flow
depending on several criteria bull Does the SP request a specific authentication context type bull Does the SP request forced authentication bull Does the SP request passive authentication
bull In practice most deployments will use the Password login flow as the only one
bull ECP is supported out-of-the-box by the Password login flow No special configuration is required bull But Client must support ECP appropriately
4
Page 16
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
bull the IdP requires a relational database for storing persistent identifiers and user consent data
bull for a single-instance IdP install an SQL database which is packaged by the OS vendor
bull starting with the IdP v3 deployment guide and when installed on the same system as the IdP SWITCH is favoring PostgreSQL ndash PostgreSQL has a long track record of close SQL standards compliance ndash MariaDB 55 (community-developed source fork of MySQL) would also
be available as a vendor-supplied package but for Ubuntu only in the ldquouniverserdquo component ndash ie without official support for security updates
bull your favorite RDBMS can be used as well of course ndash a JDBC connector is almost all it takes ndash in particular for clusters other RDBMSes might be better fits
Persistent ID and user consent storage
5
copy 2015 SWITCH
bull etchosts is your friend bull Set up the IdP v3 on a completely new system bull retain the existing entity ID SAML endpoints and the
SAML certificate bull with SAML 2 most IdP traffic is now front channel
ndash straightforward testing possible by simple edits of your hosts file 192023 aai-loginexampleorg
bull for back-channel testing a temporary change to an SPrsquos hosts file can be an option
Testing strategy
6
Page 3
Test of the VM Images Boot VM image and test network connectivity
SWITCHaai Team aaiswitchch
copy 2015 SWITCH 2
General Information
Course material is adapted for use in SWITCHaai
Course material will be published online Check httpswwwswitchchaaidocstraining
If you see this on a slide hands-on work is required
Page 4
copy 2015 SWITCH 3
Boot up the image 1 Open SWITCH-Shibboleth-Trainingvbox in Virtual Box
2 Start the virtual machine (VM)
3 After login Firefox will open automatically Ensure that it displays this page If you dont see this message contact an assistant
copy 2015 SWITCH 4
VM Operating System Environment
Ubuntu 14042 LTS Virtual BoxVMWare VDK image User idp-admin Password password (in sudoers list)
Apache 2 on ports 80 (http) and 443 (https)
Self-signed SSL web server certificate
Shibboleth Identity Provider 3 is installed and configured according to SWITCHaai Deployment guide Network connectivity needed to ldap-test[1|2]aaiswitchch
Relevant Hostname Same name for all participants aai-loginexampleorg
Page 5
copy 2015 SWITCH 5
Test AAI Login with Demo Service Provider
1 In Firefox open aai-demoswitchch (or click on bookmark) 2 Click on Any authenticated user 3 Select the Example Organisation 4 Log in using a test user (eg student1 password1)
copy 2015 SWITCH 6
Essential Commands for Linux DOS Command Linux Command dir ls -l
cd ltdirectorygt cd ltdirectorygt
mkdir or md ltdirectorygt mkdir ltdirectorygt
rmdir or rd ltdirectorygt rmdir ltdirectorygt
chdir pwd
del or erase ltfilegt rm ltfilegt
copy and xcopy ltfilegt cp and cp ndashR ltfilegt find or findstr ltfilegt grep ltstringgt ltfilegt
comp ltfile1gt ltfile2gt diff ltfile1gt ltfile2gt
edit ltfilegt nano or vim or emacs ltfilegt ping lthostgt ping lthostgt
reboot reboot
Page 6
copy 2015 SWITCH
File Editing Commands for Terminal Editor
Editor nano vim
Open file $ nano ltfilegt $ vim ltfilegt
Save file ltctrlgt-o ltescgt w
Save and exit
ltctrlgt-x ltescgt wq
Search string
ltctrlgt-w string ltescgt string
Go to line number
ltctrlgt-- number ltescgt number ltshiftgt-G
gedit is the recommended text editor Is started as root user Its icon is in the launch bar on the left side of the desktop
copy 2015 SWITCH 8
Tips and Tricks for Hands-On Session
The user and root password for the VM is password
Lines starting with $ are commands to be executed
Command should be executed as root user Happens automatically if Terminal is opened or if text editor is used
Character is line break symbol which allows to break a line when typed
Watch out for invalid XMLconfiguration errors Consult Debugging handout for hints to resolve problems
Page 7
copy 2015 SWITCH 9
More Tips and Tricks for Hands-On Session
Restart the Tomcat daemon after changes Unless otherwise mentioned
Delete session cookies after changes (or restart browser) Should not be necessary but is safer for testing
SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog
On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg
copy 2015 SWITCH 10
Test Users on your Identity Provider
Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username student2 Password password2
UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms
Page 8
copy 2015 SWITCH
Important directories
optshibboleth-idp
Identity Provider Installation directory
optshibboleth-idpconf
Configuration files optshibboleth-idplogs
Log files like idp-processlog
optshibboleth-idpcredentials X509 certificates and private keys
optshibboleth-idpedit-webapp Changes for web application that survive upgrades
11
Page 9
SWITCHaai Team aaiswitchch
Configuration Pattern
Get used to Spring Beans and Properties
copy 2015 SWITCH
Whats that
2
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt
Page 10
copy 2015 SWITCH
Configuration Pattern of IdPv3
bull The IdPv3 configuration builds upon the Spring Framework bull Configuration is located in XML files bull There are a lot of wired beans
bull The whole configuration follows the same pattern bull With some few exceptions
bull Wonderfully flexible way to configure components but quite complicated for deployers
3
copy 2015 SWITCH
Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)
4
Page 11
copy 2015 SWITCH
Understanding Beans and Properties
bull The whole configuration of the IdP is specified by alot of beans
bull For convenience the essential configuration can bespecified by properties stored in properties files
bull Still from time to time you will need to directly modifybeans or create new ones
bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts
5
copy 2015 SWITCH
Examples of Properties
Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties
LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull Each line consists of a pair of a key and a valuebull Comment lines start with an character
6
Page 12
copy 2015 SWITCH
Examples of Beans
bull Each bean has some name (id) bull Each bean has some type (class) bull Attributes (parameters) specify the beans configuration bull Beans can refer to other beans (wiring)
7
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
Configuration file optshibboleth-idpconfauthnldap-authn-configxml
copy 2015 SWITCH
Examples of Beans bull There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8
Page 13
copy 2015 SWITCH
References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull Configuration
httpswikishibbolethnetconfluencedisplayIDP30Configuration bull Spring Configuration
httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration
9
Page 14
SWITCHaai Team aaiswitchch
User Authentication How to do it the v3 way
IdP
copy 2015 SWITCH
From Login Handlers to Login Flows bull v2 uses Login Handlers
bull Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)
bull Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))
bull v3 uses Login Flows (also called Authentication Flows) bull Typicaldefault setup Password login flow
bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)
bull Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development
2
Page 15
copy 2015 SWITCH
Login Flows
3
Shibboleth IdP
RemoteUser Authentication Flow
SAML Request
SAML Response
Authentication Engine Selects suitable flow and executes it
X509 Authentication Flow
Password Authentication Flow
copy 2015 SWITCH
Login Flows bull One or several flows can be activated bull The authentication engine of the IdP selects a suitable flow
depending on several criteria bull Does the SP request a specific authentication context type bull Does the SP request forced authentication bull Does the SP request passive authentication
bull In practice most deployments will use the Password login flow as the only one
bull ECP is supported out-of-the-box by the Password login flow No special configuration is required bull But Client must support ECP appropriately
4
Page 16
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Test of the VM Images Boot VM image and test network connectivity
SWITCHaai Team aaiswitchch
copy 2015 SWITCH 2
General Information
Course material is adapted for use in SWITCHaai
Course material will be published online Check httpswwwswitchchaaidocstraining
If you see this on a slide hands-on work is required
Page 4
copy 2015 SWITCH 3
Boot up the image 1 Open SWITCH-Shibboleth-Trainingvbox in Virtual Box
2 Start the virtual machine (VM)
3 After login Firefox will open automatically Ensure that it displays this page If you dont see this message contact an assistant
copy 2015 SWITCH 4
VM Operating System Environment
Ubuntu 14042 LTS Virtual BoxVMWare VDK image User idp-admin Password password (in sudoers list)
Apache 2 on ports 80 (http) and 443 (https)
Self-signed SSL web server certificate
Shibboleth Identity Provider 3 is installed and configured according to SWITCHaai Deployment guide Network connectivity needed to ldap-test[1|2]aaiswitchch
Relevant Hostname Same name for all participants aai-loginexampleorg
Page 5
copy 2015 SWITCH 5
Test AAI Login with Demo Service Provider
1 In Firefox open aai-demoswitchch (or click on bookmark) 2 Click on Any authenticated user 3 Select the Example Organisation 4 Log in using a test user (eg student1 password1)
copy 2015 SWITCH 6
Essential Commands for Linux DOS Command Linux Command dir ls -l
cd ltdirectorygt cd ltdirectorygt
mkdir or md ltdirectorygt mkdir ltdirectorygt
rmdir or rd ltdirectorygt rmdir ltdirectorygt
chdir pwd
del or erase ltfilegt rm ltfilegt
copy and xcopy ltfilegt cp and cp ndashR ltfilegt find or findstr ltfilegt grep ltstringgt ltfilegt
comp ltfile1gt ltfile2gt diff ltfile1gt ltfile2gt
edit ltfilegt nano or vim or emacs ltfilegt ping lthostgt ping lthostgt
reboot reboot
Page 6
copy 2015 SWITCH
File Editing Commands for Terminal Editor
Editor nano vim
Open file $ nano ltfilegt $ vim ltfilegt
Save file ltctrlgt-o ltescgt w
Save and exit
ltctrlgt-x ltescgt wq
Search string
ltctrlgt-w string ltescgt string
Go to line number
ltctrlgt-- number ltescgt number ltshiftgt-G
gedit is the recommended text editor Is started as root user Its icon is in the launch bar on the left side of the desktop
copy 2015 SWITCH 8
Tips and Tricks for Hands-On Session
The user and root password for the VM is password
Lines starting with $ are commands to be executed
Command should be executed as root user Happens automatically if Terminal is opened or if text editor is used
Character is line break symbol which allows to break a line when typed
Watch out for invalid XMLconfiguration errors Consult Debugging handout for hints to resolve problems
Page 7
copy 2015 SWITCH 9
More Tips and Tricks for Hands-On Session
Restart the Tomcat daemon after changes Unless otherwise mentioned
Delete session cookies after changes (or restart browser) Should not be necessary but is safer for testing
SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog
On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg
copy 2015 SWITCH 10
Test Users on your Identity Provider
Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username student2 Password password2
UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms
Page 8
copy 2015 SWITCH
Important directories
optshibboleth-idp
Identity Provider Installation directory
optshibboleth-idpconf
Configuration files optshibboleth-idplogs
Log files like idp-processlog
optshibboleth-idpcredentials X509 certificates and private keys
optshibboleth-idpedit-webapp Changes for web application that survive upgrades
11
Page 9
SWITCHaai Team aaiswitchch
Configuration Pattern
Get used to Spring Beans and Properties
copy 2015 SWITCH
Whats that
2
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt
Page 10
copy 2015 SWITCH
Configuration Pattern of IdPv3
bull The IdPv3 configuration builds upon the Spring Framework bull Configuration is located in XML files bull There are a lot of wired beans
bull The whole configuration follows the same pattern bull With some few exceptions
bull Wonderfully flexible way to configure components but quite complicated for deployers
3
copy 2015 SWITCH
Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)
4
Page 11
copy 2015 SWITCH
Understanding Beans and Properties
bull The whole configuration of the IdP is specified by alot of beans
bull For convenience the essential configuration can bespecified by properties stored in properties files
bull Still from time to time you will need to directly modifybeans or create new ones
bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts
5
copy 2015 SWITCH
Examples of Properties
Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties
LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull Each line consists of a pair of a key and a valuebull Comment lines start with an character
6
Page 12
copy 2015 SWITCH
Examples of Beans
bull Each bean has some name (id) bull Each bean has some type (class) bull Attributes (parameters) specify the beans configuration bull Beans can refer to other beans (wiring)
7
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
Configuration file optshibboleth-idpconfauthnldap-authn-configxml
copy 2015 SWITCH
Examples of Beans bull There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8
Page 13
copy 2015 SWITCH
References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull Configuration
httpswikishibbolethnetconfluencedisplayIDP30Configuration bull Spring Configuration
httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration
9
Page 14
SWITCHaai Team aaiswitchch
User Authentication How to do it the v3 way
IdP
copy 2015 SWITCH
From Login Handlers to Login Flows bull v2 uses Login Handlers
bull Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)
bull Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))
bull v3 uses Login Flows (also called Authentication Flows) bull Typicaldefault setup Password login flow
bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)
bull Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development
2
Page 15
copy 2015 SWITCH
Login Flows
3
Shibboleth IdP
RemoteUser Authentication Flow
SAML Request
SAML Response
Authentication Engine Selects suitable flow and executes it
X509 Authentication Flow
Password Authentication Flow
copy 2015 SWITCH
Login Flows bull One or several flows can be activated bull The authentication engine of the IdP selects a suitable flow
depending on several criteria bull Does the SP request a specific authentication context type bull Does the SP request forced authentication bull Does the SP request passive authentication
bull In practice most deployments will use the Password login flow as the only one
bull ECP is supported out-of-the-box by the Password login flow No special configuration is required bull But Client must support ECP appropriately
4
Page 16
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH 3
Boot up the image 1 Open SWITCH-Shibboleth-Trainingvbox in Virtual Box
2 Start the virtual machine (VM)
3 After login Firefox will open automatically Ensure that it displays this page If you dont see this message contact an assistant
copy 2015 SWITCH 4
VM Operating System Environment
Ubuntu 14042 LTS Virtual BoxVMWare VDK image User idp-admin Password password (in sudoers list)
Apache 2 on ports 80 (http) and 443 (https)
Self-signed SSL web server certificate
Shibboleth Identity Provider 3 is installed and configured according to SWITCHaai Deployment guide Network connectivity needed to ldap-test[1|2]aaiswitchch
Relevant Hostname Same name for all participants aai-loginexampleorg
Page 5
copy 2015 SWITCH 5
Test AAI Login with Demo Service Provider
1 In Firefox open aai-demoswitchch (or click on bookmark) 2 Click on Any authenticated user 3 Select the Example Organisation 4 Log in using a test user (eg student1 password1)
copy 2015 SWITCH 6
Essential Commands for Linux DOS Command Linux Command dir ls -l
cd ltdirectorygt cd ltdirectorygt
mkdir or md ltdirectorygt mkdir ltdirectorygt
rmdir or rd ltdirectorygt rmdir ltdirectorygt
chdir pwd
del or erase ltfilegt rm ltfilegt
copy and xcopy ltfilegt cp and cp ndashR ltfilegt find or findstr ltfilegt grep ltstringgt ltfilegt
comp ltfile1gt ltfile2gt diff ltfile1gt ltfile2gt
edit ltfilegt nano or vim or emacs ltfilegt ping lthostgt ping lthostgt
reboot reboot
Page 6
copy 2015 SWITCH
File Editing Commands for Terminal Editor
Editor nano vim
Open file $ nano ltfilegt $ vim ltfilegt
Save file ltctrlgt-o ltescgt w
Save and exit
ltctrlgt-x ltescgt wq
Search string
ltctrlgt-w string ltescgt string
Go to line number
ltctrlgt-- number ltescgt number ltshiftgt-G
gedit is the recommended text editor Is started as root user Its icon is in the launch bar on the left side of the desktop
copy 2015 SWITCH 8
Tips and Tricks for Hands-On Session
The user and root password for the VM is password
Lines starting with $ are commands to be executed
Command should be executed as root user Happens automatically if Terminal is opened or if text editor is used
Character is line break symbol which allows to break a line when typed
Watch out for invalid XMLconfiguration errors Consult Debugging handout for hints to resolve problems
Page 7
copy 2015 SWITCH 9
More Tips and Tricks for Hands-On Session
Restart the Tomcat daemon after changes Unless otherwise mentioned
Delete session cookies after changes (or restart browser) Should not be necessary but is safer for testing
SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog
On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg
copy 2015 SWITCH 10
Test Users on your Identity Provider
Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username student2 Password password2
UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms
Page 8
copy 2015 SWITCH
Important directories
optshibboleth-idp
Identity Provider Installation directory
optshibboleth-idpconf
Configuration files optshibboleth-idplogs
Log files like idp-processlog
optshibboleth-idpcredentials X509 certificates and private keys
optshibboleth-idpedit-webapp Changes for web application that survive upgrades
11
Page 9
SWITCHaai Team aaiswitchch
Configuration Pattern
Get used to Spring Beans and Properties
copy 2015 SWITCH
Whats that
2
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt
Page 10
copy 2015 SWITCH
Configuration Pattern of IdPv3
bull The IdPv3 configuration builds upon the Spring Framework bull Configuration is located in XML files bull There are a lot of wired beans
bull The whole configuration follows the same pattern bull With some few exceptions
bull Wonderfully flexible way to configure components but quite complicated for deployers
3
copy 2015 SWITCH
Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)
4
Page 11
copy 2015 SWITCH
Understanding Beans and Properties
bull The whole configuration of the IdP is specified by alot of beans
bull For convenience the essential configuration can bespecified by properties stored in properties files
bull Still from time to time you will need to directly modifybeans or create new ones
bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts
5
copy 2015 SWITCH
Examples of Properties
Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties
LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull Each line consists of a pair of a key and a valuebull Comment lines start with an character
6
Page 12
copy 2015 SWITCH
Examples of Beans
bull Each bean has some name (id) bull Each bean has some type (class) bull Attributes (parameters) specify the beans configuration bull Beans can refer to other beans (wiring)
7
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
Configuration file optshibboleth-idpconfauthnldap-authn-configxml
copy 2015 SWITCH
Examples of Beans bull There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8
Page 13
copy 2015 SWITCH
References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull Configuration
httpswikishibbolethnetconfluencedisplayIDP30Configuration bull Spring Configuration
httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration
9
Page 14
SWITCHaai Team aaiswitchch
User Authentication How to do it the v3 way
IdP
copy 2015 SWITCH
From Login Handlers to Login Flows bull v2 uses Login Handlers
bull Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)
bull Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))
bull v3 uses Login Flows (also called Authentication Flows) bull Typicaldefault setup Password login flow
bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)
bull Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development
2
Page 15
copy 2015 SWITCH
Login Flows
3
Shibboleth IdP
RemoteUser Authentication Flow
SAML Request
SAML Response
Authentication Engine Selects suitable flow and executes it
X509 Authentication Flow
Password Authentication Flow
copy 2015 SWITCH
Login Flows bull One or several flows can be activated bull The authentication engine of the IdP selects a suitable flow
depending on several criteria bull Does the SP request a specific authentication context type bull Does the SP request forced authentication bull Does the SP request passive authentication
bull In practice most deployments will use the Password login flow as the only one
bull ECP is supported out-of-the-box by the Password login flow No special configuration is required bull But Client must support ECP appropriately
4
Page 16
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH 5
Test AAI Login with Demo Service Provider
1 In Firefox open aai-demoswitchch (or click on bookmark) 2 Click on Any authenticated user 3 Select the Example Organisation 4 Log in using a test user (eg student1 password1)
copy 2015 SWITCH 6
Essential Commands for Linux DOS Command Linux Command dir ls -l
cd ltdirectorygt cd ltdirectorygt
mkdir or md ltdirectorygt mkdir ltdirectorygt
rmdir or rd ltdirectorygt rmdir ltdirectorygt
chdir pwd
del or erase ltfilegt rm ltfilegt
copy and xcopy ltfilegt cp and cp ndashR ltfilegt find or findstr ltfilegt grep ltstringgt ltfilegt
comp ltfile1gt ltfile2gt diff ltfile1gt ltfile2gt
edit ltfilegt nano or vim or emacs ltfilegt ping lthostgt ping lthostgt
reboot reboot
Page 6
copy 2015 SWITCH
File Editing Commands for Terminal Editor
Editor nano vim
Open file $ nano ltfilegt $ vim ltfilegt
Save file ltctrlgt-o ltescgt w
Save and exit
ltctrlgt-x ltescgt wq
Search string
ltctrlgt-w string ltescgt string
Go to line number
ltctrlgt-- number ltescgt number ltshiftgt-G
gedit is the recommended text editor Is started as root user Its icon is in the launch bar on the left side of the desktop
copy 2015 SWITCH 8
Tips and Tricks for Hands-On Session
The user and root password for the VM is password
Lines starting with $ are commands to be executed
Command should be executed as root user Happens automatically if Terminal is opened or if text editor is used
Character is line break symbol which allows to break a line when typed
Watch out for invalid XMLconfiguration errors Consult Debugging handout for hints to resolve problems
Page 7
copy 2015 SWITCH 9
More Tips and Tricks for Hands-On Session
Restart the Tomcat daemon after changes Unless otherwise mentioned
Delete session cookies after changes (or restart browser) Should not be necessary but is safer for testing
SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog
On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg
copy 2015 SWITCH 10
Test Users on your Identity Provider
Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username student2 Password password2
UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms
Page 8
copy 2015 SWITCH
Important directories
optshibboleth-idp
Identity Provider Installation directory
optshibboleth-idpconf
Configuration files optshibboleth-idplogs
Log files like idp-processlog
optshibboleth-idpcredentials X509 certificates and private keys
optshibboleth-idpedit-webapp Changes for web application that survive upgrades
11
Page 9
SWITCHaai Team aaiswitchch
Configuration Pattern
Get used to Spring Beans and Properties
copy 2015 SWITCH
Whats that
2
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt
Page 10
copy 2015 SWITCH
Configuration Pattern of IdPv3
bull The IdPv3 configuration builds upon the Spring Framework bull Configuration is located in XML files bull There are a lot of wired beans
bull The whole configuration follows the same pattern bull With some few exceptions
bull Wonderfully flexible way to configure components but quite complicated for deployers
3
copy 2015 SWITCH
Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)
4
Page 11
copy 2015 SWITCH
Understanding Beans and Properties
bull The whole configuration of the IdP is specified by alot of beans
bull For convenience the essential configuration can bespecified by properties stored in properties files
bull Still from time to time you will need to directly modifybeans or create new ones
bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts
5
copy 2015 SWITCH
Examples of Properties
Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties
LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull Each line consists of a pair of a key and a valuebull Comment lines start with an character
6
Page 12
copy 2015 SWITCH
Examples of Beans
bull Each bean has some name (id) bull Each bean has some type (class) bull Attributes (parameters) specify the beans configuration bull Beans can refer to other beans (wiring)
7
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
Configuration file optshibboleth-idpconfauthnldap-authn-configxml
copy 2015 SWITCH
Examples of Beans bull There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8
Page 13
copy 2015 SWITCH
References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull Configuration
httpswikishibbolethnetconfluencedisplayIDP30Configuration bull Spring Configuration
httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration
9
Page 14
SWITCHaai Team aaiswitchch
User Authentication How to do it the v3 way
IdP
copy 2015 SWITCH
From Login Handlers to Login Flows bull v2 uses Login Handlers
bull Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)
bull Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))
bull v3 uses Login Flows (also called Authentication Flows) bull Typicaldefault setup Password login flow
bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)
bull Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development
2
Page 15
copy 2015 SWITCH
Login Flows
3
Shibboleth IdP
RemoteUser Authentication Flow
SAML Request
SAML Response
Authentication Engine Selects suitable flow and executes it
X509 Authentication Flow
Password Authentication Flow
copy 2015 SWITCH
Login Flows bull One or several flows can be activated bull The authentication engine of the IdP selects a suitable flow
depending on several criteria bull Does the SP request a specific authentication context type bull Does the SP request forced authentication bull Does the SP request passive authentication
bull In practice most deployments will use the Password login flow as the only one
bull ECP is supported out-of-the-box by the Password login flow No special configuration is required bull But Client must support ECP appropriately
4
Page 16
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
File Editing Commands for Terminal Editor
Editor nano vim
Open file $ nano ltfilegt $ vim ltfilegt
Save file ltctrlgt-o ltescgt w
Save and exit
ltctrlgt-x ltescgt wq
Search string
ltctrlgt-w string ltescgt string
Go to line number
ltctrlgt-- number ltescgt number ltshiftgt-G
gedit is the recommended text editor Is started as root user Its icon is in the launch bar on the left side of the desktop
copy 2015 SWITCH 8
Tips and Tricks for Hands-On Session
The user and root password for the VM is password
Lines starting with $ are commands to be executed
Command should be executed as root user Happens automatically if Terminal is opened or if text editor is used
Character is line break symbol which allows to break a line when typed
Watch out for invalid XMLconfiguration errors Consult Debugging handout for hints to resolve problems
Page 7
copy 2015 SWITCH 9
More Tips and Tricks for Hands-On Session
Restart the Tomcat daemon after changes Unless otherwise mentioned
Delete session cookies after changes (or restart browser) Should not be necessary but is safer for testing
SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog
On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg
copy 2015 SWITCH 10
Test Users on your Identity Provider
Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username student2 Password password2
UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms
Page 8
copy 2015 SWITCH
Important directories
optshibboleth-idp
Identity Provider Installation directory
optshibboleth-idpconf
Configuration files optshibboleth-idplogs
Log files like idp-processlog
optshibboleth-idpcredentials X509 certificates and private keys
optshibboleth-idpedit-webapp Changes for web application that survive upgrades
11
Page 9
SWITCHaai Team aaiswitchch
Configuration Pattern
Get used to Spring Beans and Properties
copy 2015 SWITCH
Whats that
2
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt
Page 10
copy 2015 SWITCH
Configuration Pattern of IdPv3
bull The IdPv3 configuration builds upon the Spring Framework bull Configuration is located in XML files bull There are a lot of wired beans
bull The whole configuration follows the same pattern bull With some few exceptions
bull Wonderfully flexible way to configure components but quite complicated for deployers
3
copy 2015 SWITCH
Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)
4
Page 11
copy 2015 SWITCH
Understanding Beans and Properties
bull The whole configuration of the IdP is specified by alot of beans
bull For convenience the essential configuration can bespecified by properties stored in properties files
bull Still from time to time you will need to directly modifybeans or create new ones
bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts
5
copy 2015 SWITCH
Examples of Properties
Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties
LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull Each line consists of a pair of a key and a valuebull Comment lines start with an character
6
Page 12
copy 2015 SWITCH
Examples of Beans
bull Each bean has some name (id) bull Each bean has some type (class) bull Attributes (parameters) specify the beans configuration bull Beans can refer to other beans (wiring)
7
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
Configuration file optshibboleth-idpconfauthnldap-authn-configxml
copy 2015 SWITCH
Examples of Beans bull There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8
Page 13
copy 2015 SWITCH
References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull Configuration
httpswikishibbolethnetconfluencedisplayIDP30Configuration bull Spring Configuration
httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration
9
Page 14
SWITCHaai Team aaiswitchch
User Authentication How to do it the v3 way
IdP
copy 2015 SWITCH
From Login Handlers to Login Flows bull v2 uses Login Handlers
bull Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)
bull Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))
bull v3 uses Login Flows (also called Authentication Flows) bull Typicaldefault setup Password login flow
bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)
bull Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development
2
Page 15
copy 2015 SWITCH
Login Flows
3
Shibboleth IdP
RemoteUser Authentication Flow
SAML Request
SAML Response
Authentication Engine Selects suitable flow and executes it
X509 Authentication Flow
Password Authentication Flow
copy 2015 SWITCH
Login Flows bull One or several flows can be activated bull The authentication engine of the IdP selects a suitable flow
depending on several criteria bull Does the SP request a specific authentication context type bull Does the SP request forced authentication bull Does the SP request passive authentication
bull In practice most deployments will use the Password login flow as the only one
bull ECP is supported out-of-the-box by the Password login flow No special configuration is required bull But Client must support ECP appropriately
4
Page 16
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH 9
More Tips and Tricks for Hands-On Session
Restart the Tomcat daemon after changes Unless otherwise mentioned
Delete session cookies after changes (or restart browser) Should not be necessary but is safer for testing
SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog
On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg
copy 2015 SWITCH 10
Test Users on your Identity Provider
Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username student2 Password password2
UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms
Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms
Page 8
copy 2015 SWITCH
Important directories
optshibboleth-idp
Identity Provider Installation directory
optshibboleth-idpconf
Configuration files optshibboleth-idplogs
Log files like idp-processlog
optshibboleth-idpcredentials X509 certificates and private keys
optshibboleth-idpedit-webapp Changes for web application that survive upgrades
11
Page 9
SWITCHaai Team aaiswitchch
Configuration Pattern
Get used to Spring Beans and Properties
copy 2015 SWITCH
Whats that
2
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt
Page 10
copy 2015 SWITCH
Configuration Pattern of IdPv3
bull The IdPv3 configuration builds upon the Spring Framework bull Configuration is located in XML files bull There are a lot of wired beans
bull The whole configuration follows the same pattern bull With some few exceptions
bull Wonderfully flexible way to configure components but quite complicated for deployers
3
copy 2015 SWITCH
Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)
4
Page 11
copy 2015 SWITCH
Understanding Beans and Properties
bull The whole configuration of the IdP is specified by alot of beans
bull For convenience the essential configuration can bespecified by properties stored in properties files
bull Still from time to time you will need to directly modifybeans or create new ones
bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts
5
copy 2015 SWITCH
Examples of Properties
Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties
LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull Each line consists of a pair of a key and a valuebull Comment lines start with an character
6
Page 12
copy 2015 SWITCH
Examples of Beans
bull Each bean has some name (id) bull Each bean has some type (class) bull Attributes (parameters) specify the beans configuration bull Beans can refer to other beans (wiring)
7
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
Configuration file optshibboleth-idpconfauthnldap-authn-configxml
copy 2015 SWITCH
Examples of Beans bull There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8
Page 13
copy 2015 SWITCH
References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull Configuration
httpswikishibbolethnetconfluencedisplayIDP30Configuration bull Spring Configuration
httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration
9
Page 14
SWITCHaai Team aaiswitchch
User Authentication How to do it the v3 way
IdP
copy 2015 SWITCH
From Login Handlers to Login Flows bull v2 uses Login Handlers
bull Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)
bull Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))
bull v3 uses Login Flows (also called Authentication Flows) bull Typicaldefault setup Password login flow
bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)
bull Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development
2
Page 15
copy 2015 SWITCH
Login Flows
3
Shibboleth IdP
RemoteUser Authentication Flow
SAML Request
SAML Response
Authentication Engine Selects suitable flow and executes it
X509 Authentication Flow
Password Authentication Flow
copy 2015 SWITCH
Login Flows bull One or several flows can be activated bull The authentication engine of the IdP selects a suitable flow
depending on several criteria bull Does the SP request a specific authentication context type bull Does the SP request forced authentication bull Does the SP request passive authentication
bull In practice most deployments will use the Password login flow as the only one
bull ECP is supported out-of-the-box by the Password login flow No special configuration is required bull But Client must support ECP appropriately
4
Page 16
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Important directories
optshibboleth-idp
Identity Provider Installation directory
optshibboleth-idpconf
Configuration files optshibboleth-idplogs
Log files like idp-processlog
optshibboleth-idpcredentials X509 certificates and private keys
optshibboleth-idpedit-webapp Changes for web application that survive upgrades
11
Page 9
SWITCHaai Team aaiswitchch
Configuration Pattern
Get used to Spring Beans and Properties
copy 2015 SWITCH
Whats that
2
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt
Page 10
copy 2015 SWITCH
Configuration Pattern of IdPv3
bull The IdPv3 configuration builds upon the Spring Framework bull Configuration is located in XML files bull There are a lot of wired beans
bull The whole configuration follows the same pattern bull With some few exceptions
bull Wonderfully flexible way to configure components but quite complicated for deployers
3
copy 2015 SWITCH
Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)
4
Page 11
copy 2015 SWITCH
Understanding Beans and Properties
bull The whole configuration of the IdP is specified by alot of beans
bull For convenience the essential configuration can bespecified by properties stored in properties files
bull Still from time to time you will need to directly modifybeans or create new ones
bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts
5
copy 2015 SWITCH
Examples of Properties
Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties
LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull Each line consists of a pair of a key and a valuebull Comment lines start with an character
6
Page 12
copy 2015 SWITCH
Examples of Beans
bull Each bean has some name (id) bull Each bean has some type (class) bull Attributes (parameters) specify the beans configuration bull Beans can refer to other beans (wiring)
7
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
Configuration file optshibboleth-idpconfauthnldap-authn-configxml
copy 2015 SWITCH
Examples of Beans bull There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8
Page 13
copy 2015 SWITCH
References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull Configuration
httpswikishibbolethnetconfluencedisplayIDP30Configuration bull Spring Configuration
httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration
9
Page 14
SWITCHaai Team aaiswitchch
User Authentication How to do it the v3 way
IdP
copy 2015 SWITCH
From Login Handlers to Login Flows bull v2 uses Login Handlers
bull Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)
bull Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))
bull v3 uses Login Flows (also called Authentication Flows) bull Typicaldefault setup Password login flow
bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)
bull Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development
2
Page 15
copy 2015 SWITCH
Login Flows
3
Shibboleth IdP
RemoteUser Authentication Flow
SAML Request
SAML Response
Authentication Engine Selects suitable flow and executes it
X509 Authentication Flow
Password Authentication Flow
copy 2015 SWITCH
Login Flows bull One or several flows can be activated bull The authentication engine of the IdP selects a suitable flow
depending on several criteria bull Does the SP request a specific authentication context type bull Does the SP request forced authentication bull Does the SP request passive authentication
bull In practice most deployments will use the Password login flow as the only one
bull ECP is supported out-of-the-box by the Password login flow No special configuration is required bull But Client must support ECP appropriately
4
Page 16
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
SWITCHaai Team aaiswitchch
Configuration Pattern
Get used to Spring Beans and Properties
copy 2015 SWITCH
Whats that
2
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt
Page 10
copy 2015 SWITCH
Configuration Pattern of IdPv3
bull The IdPv3 configuration builds upon the Spring Framework bull Configuration is located in XML files bull There are a lot of wired beans
bull The whole configuration follows the same pattern bull With some few exceptions
bull Wonderfully flexible way to configure components but quite complicated for deployers
3
copy 2015 SWITCH
Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)
4
Page 11
copy 2015 SWITCH
Understanding Beans and Properties
bull The whole configuration of the IdP is specified by alot of beans
bull For convenience the essential configuration can bespecified by properties stored in properties files
bull Still from time to time you will need to directly modifybeans or create new ones
bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts
5
copy 2015 SWITCH
Examples of Properties
Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties
LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull Each line consists of a pair of a key and a valuebull Comment lines start with an character
6
Page 12
copy 2015 SWITCH
Examples of Beans
bull Each bean has some name (id) bull Each bean has some type (class) bull Attributes (parameters) specify the beans configuration bull Beans can refer to other beans (wiring)
7
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
Configuration file optshibboleth-idpconfauthnldap-authn-configxml
copy 2015 SWITCH
Examples of Beans bull There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8
Page 13
copy 2015 SWITCH
References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull Configuration
httpswikishibbolethnetconfluencedisplayIDP30Configuration bull Spring Configuration
httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration
9
Page 14
SWITCHaai Team aaiswitchch
User Authentication How to do it the v3 way
IdP
copy 2015 SWITCH
From Login Handlers to Login Flows bull v2 uses Login Handlers
bull Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)
bull Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))
bull v3 uses Login Flows (also called Authentication Flows) bull Typicaldefault setup Password login flow
bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)
bull Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development
2
Page 15
copy 2015 SWITCH
Login Flows
3
Shibboleth IdP
RemoteUser Authentication Flow
SAML Request
SAML Response
Authentication Engine Selects suitable flow and executes it
X509 Authentication Flow
Password Authentication Flow
copy 2015 SWITCH
Login Flows bull One or several flows can be activated bull The authentication engine of the IdP selects a suitable flow
depending on several criteria bull Does the SP request a specific authentication context type bull Does the SP request forced authentication bull Does the SP request passive authentication
bull In practice most deployments will use the Password login flow as the only one
bull ECP is supported out-of-the-box by the Password login flow No special configuration is required bull But Client must support ECP appropriately
4
Page 16
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Configuration Pattern of IdPv3
bull The IdPv3 configuration builds upon the Spring Framework bull Configuration is located in XML files bull There are a lot of wired beans
bull The whole configuration follows the same pattern bull With some few exceptions
bull Wonderfully flexible way to configure components but quite complicated for deployers
3
copy 2015 SWITCH
Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)
4
Page 11
copy 2015 SWITCH
Understanding Beans and Properties
bull The whole configuration of the IdP is specified by alot of beans
bull For convenience the essential configuration can bespecified by properties stored in properties files
bull Still from time to time you will need to directly modifybeans or create new ones
bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts
5
copy 2015 SWITCH
Examples of Properties
Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties
LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull Each line consists of a pair of a key and a valuebull Comment lines start with an character
6
Page 12
copy 2015 SWITCH
Examples of Beans
bull Each bean has some name (id) bull Each bean has some type (class) bull Attributes (parameters) specify the beans configuration bull Beans can refer to other beans (wiring)
7
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
Configuration file optshibboleth-idpconfauthnldap-authn-configxml
copy 2015 SWITCH
Examples of Beans bull There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8
Page 13
copy 2015 SWITCH
References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull Configuration
httpswikishibbolethnetconfluencedisplayIDP30Configuration bull Spring Configuration
httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration
9
Page 14
SWITCHaai Team aaiswitchch
User Authentication How to do it the v3 way
IdP
copy 2015 SWITCH
From Login Handlers to Login Flows bull v2 uses Login Handlers
bull Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)
bull Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))
bull v3 uses Login Flows (also called Authentication Flows) bull Typicaldefault setup Password login flow
bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)
bull Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development
2
Page 15
copy 2015 SWITCH
Login Flows
3
Shibboleth IdP
RemoteUser Authentication Flow
SAML Request
SAML Response
Authentication Engine Selects suitable flow and executes it
X509 Authentication Flow
Password Authentication Flow
copy 2015 SWITCH
Login Flows bull One or several flows can be activated bull The authentication engine of the IdP selects a suitable flow
depending on several criteria bull Does the SP request a specific authentication context type bull Does the SP request forced authentication bull Does the SP request passive authentication
bull In practice most deployments will use the Password login flow as the only one
bull ECP is supported out-of-the-box by the Password login flow No special configuration is required bull But Client must support ECP appropriately
4
Page 16
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Understanding Beans and Properties
bull The whole configuration of the IdP is specified by alot of beans
bull For convenience the essential configuration can bespecified by properties stored in properties files
bull Still from time to time you will need to directly modifybeans or create new ones
bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts
5
copy 2015 SWITCH
Examples of Properties
Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties
LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull Each line consists of a pair of a key and a valuebull Comment lines start with an character
6
Page 12
copy 2015 SWITCH
Examples of Beans
bull Each bean has some name (id) bull Each bean has some type (class) bull Attributes (parameters) specify the beans configuration bull Beans can refer to other beans (wiring)
7
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
Configuration file optshibboleth-idpconfauthnldap-authn-configxml
copy 2015 SWITCH
Examples of Beans bull There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8
Page 13
copy 2015 SWITCH
References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull Configuration
httpswikishibbolethnetconfluencedisplayIDP30Configuration bull Spring Configuration
httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration
9
Page 14
SWITCHaai Team aaiswitchch
User Authentication How to do it the v3 way
IdP
copy 2015 SWITCH
From Login Handlers to Login Flows bull v2 uses Login Handlers
bull Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)
bull Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))
bull v3 uses Login Flows (also called Authentication Flows) bull Typicaldefault setup Password login flow
bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)
bull Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development
2
Page 15
copy 2015 SWITCH
Login Flows
3
Shibboleth IdP
RemoteUser Authentication Flow
SAML Request
SAML Response
Authentication Engine Selects suitable flow and executes it
X509 Authentication Flow
Password Authentication Flow
copy 2015 SWITCH
Login Flows bull One or several flows can be activated bull The authentication engine of the IdP selects a suitable flow
depending on several criteria bull Does the SP request a specific authentication context type bull Does the SP request forced authentication bull Does the SP request passive authentication
bull In practice most deployments will use the Password login flow as the only one
bull ECP is supported out-of-the-box by the Password login flow No special configuration is required bull But Client must support ECP appropriately
4
Page 16
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Examples of Beans
bull Each bean has some name (id) bull Each bean has some type (class) bull Attributes (parameters) specify the beans configuration bull Beans can refer to other beans (wiring)
7
lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt
Configuration file optshibboleth-idpconfauthnldap-authn-configxml
copy 2015 SWITCH
Examples of Beans bull There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8
Page 13
copy 2015 SWITCH
References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull Configuration
httpswikishibbolethnetconfluencedisplayIDP30Configuration bull Spring Configuration
httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration
9
Page 14
SWITCHaai Team aaiswitchch
User Authentication How to do it the v3 way
IdP
copy 2015 SWITCH
From Login Handlers to Login Flows bull v2 uses Login Handlers
bull Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)
bull Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))
bull v3 uses Login Flows (also called Authentication Flows) bull Typicaldefault setup Password login flow
bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)
bull Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development
2
Page 15
copy 2015 SWITCH
Login Flows
3
Shibboleth IdP
RemoteUser Authentication Flow
SAML Request
SAML Response
Authentication Engine Selects suitable flow and executes it
X509 Authentication Flow
Password Authentication Flow
copy 2015 SWITCH
Login Flows bull One or several flows can be activated bull The authentication engine of the IdP selects a suitable flow
depending on several criteria bull Does the SP request a specific authentication context type bull Does the SP request forced authentication bull Does the SP request passive authentication
bull In practice most deployments will use the Password login flow as the only one
bull ECP is supported out-of-the-box by the Password login flow No special configuration is required bull But Client must support ECP appropriately
4
Page 16
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull Configuration
httpswikishibbolethnetconfluencedisplayIDP30Configuration bull Spring Configuration
httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration
9
Page 14
SWITCHaai Team aaiswitchch
User Authentication How to do it the v3 way
IdP
copy 2015 SWITCH
From Login Handlers to Login Flows bull v2 uses Login Handlers
bull Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)
bull Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))
bull v3 uses Login Flows (also called Authentication Flows) bull Typicaldefault setup Password login flow
bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)
bull Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development
2
Page 15
copy 2015 SWITCH
Login Flows
3
Shibboleth IdP
RemoteUser Authentication Flow
SAML Request
SAML Response
Authentication Engine Selects suitable flow and executes it
X509 Authentication Flow
Password Authentication Flow
copy 2015 SWITCH
Login Flows bull One or several flows can be activated bull The authentication engine of the IdP selects a suitable flow
depending on several criteria bull Does the SP request a specific authentication context type bull Does the SP request forced authentication bull Does the SP request passive authentication
bull In practice most deployments will use the Password login flow as the only one
bull ECP is supported out-of-the-box by the Password login flow No special configuration is required bull But Client must support ECP appropriately
4
Page 16
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
SWITCHaai Team aaiswitchch
User Authentication How to do it the v3 way
IdP
copy 2015 SWITCH
From Login Handlers to Login Flows bull v2 uses Login Handlers
bull Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)
bull Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))
bull v3 uses Login Flows (also called Authentication Flows) bull Typicaldefault setup Password login flow
bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)
bull Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development
2
Page 15
copy 2015 SWITCH
Login Flows
3
Shibboleth IdP
RemoteUser Authentication Flow
SAML Request
SAML Response
Authentication Engine Selects suitable flow and executes it
X509 Authentication Flow
Password Authentication Flow
copy 2015 SWITCH
Login Flows bull One or several flows can be activated bull The authentication engine of the IdP selects a suitable flow
depending on several criteria bull Does the SP request a specific authentication context type bull Does the SP request forced authentication bull Does the SP request passive authentication
bull In practice most deployments will use the Password login flow as the only one
bull ECP is supported out-of-the-box by the Password login flow No special configuration is required bull But Client must support ECP appropriately
4
Page 16
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Login Flows
3
Shibboleth IdP
RemoteUser Authentication Flow
SAML Request
SAML Response
Authentication Engine Selects suitable flow and executes it
X509 Authentication Flow
Password Authentication Flow
copy 2015 SWITCH
Login Flows bull One or several flows can be activated bull The authentication engine of the IdP selects a suitable flow
depending on several criteria bull Does the SP request a specific authentication context type bull Does the SP request forced authentication bull Does the SP request passive authentication
bull In practice most deployments will use the Password login flow as the only one
bull ECP is supported out-of-the-box by the Password login flow No special configuration is required bull But Client must support ECP appropriately
4
Page 16
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Authentication Configuration bull Login flow activation
bull optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password
bull Per login flow configuration bull optshibboleth-idpconfauthn-configxml
bull Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process
5
copy 2015 SWITCH
Configuration Usernamepassword with LDAP bull Most deployments use this authentication mechanism bull Login flow for usernamepassword authentication
Password (activated by default) bull Configuration is done in two properties files
bull All LDAP parameters except credentials optshibboleth-idpconfldapproperties
bull Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties
bull The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)
6
Page 17
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Example Configuration bull optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org
bull optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []
7
copy 2015 SWITCH
Properties for LDAP authentication bull General options
bull idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator
bull Connection options bull idpauthnLDAPldapURL
URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)
bull idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)
bull idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true
8
Page 18
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Properties for LDAP authentication bull Connection options (continued)
bull idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust
bull User Directory options bull idpauthnLDAPbaseDN
Entry point in user directory bull idpauthnLDAPsubtreeSearch
Enable searching the whole tree Usually set to true bull idpauthnLDAPuserFilter
LDAP search filter Takes the login name as input
9
copy 2015 SWITCH
Properties for LDAP authentication bull LDAP service user options
(The IdP connects to the LDAP server as this user to search for users) bull idpauthnLDAPbindDN
Bind DN of the IdP service user bull idpauthnLDAPbindDNCredential
Password of the IdP service user
(Further properties for LDAP are available but not described here See
the documentation for details)
10
Page 19
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Hands-on 1 Explore the configuration Get familiar with properties files
bull Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)
bull optshibboleth-idpconfldapproperties bull Which LDAP attribute holds the users login name bull Which is the Distinguished Name (DN) of the service user the IdP
uses for connecting to the LDAP server
bull Where is the password of the service user defined
11
copy 2015 SWITCH
Hands-on 1 Solutions bull Enabled flows Password idpauthnflows = Password
bull LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)
bull DN of the service user the IdP searches users with cn=idpdc=exampledc=org
bull In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)
12
Page 20
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Hands-on 2 Migrate LDAP configuration from IdPv2
13
From IdPv2 File optshibboleth-idpconfloginproperties
ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true
PS Common and equivalent alternative to userField userFilter
userField=uid userFilter=uid=0
copy 2015 SWITCH
Hands-on 2 Solution
14
To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []
File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []
Page 21
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Advanced Topics bull JAAS authentication as used in v2 is still supported in v3
bull Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml
bull JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig
bull JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases
bull Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)
bull See the documentation on the Shibboleth wiki for details
15
copy 2015 SWITCH
References Documentation bull Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull Password Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull Password LDAP Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull Advanced LDAP Configuration
httpwwwldaptiveorgdocsguideauthentication bull Password JAAS Authentication Configuration
httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration
16
Page 22
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy SWITCH 201513
Login Form Customization13Templates and Customization13
SWITCHaai Team13aaiswitchch13
copy SWITCH 201513
Overviewbull How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313
213
Page 23
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy SWITCH 201513 313
copy SWITCH 201513 413
Page 24
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy SWITCH 201513 513
copy SWITCH 201513
Layoutbull Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13
bull Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13
bull Rebuild the idpwar file and restart tomcat1313
613
Page 25
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy SWITCH 201513
Spring message propertiesbull in optshibboleth-idpmessages you find13ndash authn-messagespropertiesndash error-messagespropertiesndash consent-messagespropertiesthese messages are used in the velocity template
13bull internationalization 13ndash consent-messages_depropertiesndash consent-messages_frproperties etc
13
713
copy SWITCH 201513
error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13
813
Page 26
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13
913
copy SWITCH 201513
authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13
1013
Page 27
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy SWITCH 201513
Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt
1113
copy SWITCH 201513 1213
Page 28
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy SWITCH 201513
Velocitybull The Apache Velocity Engine is a free open-source
templating enginebull clean separation between the presentation tier and
business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at
the end of the linendash Multi-line comments which begin with and end
with
1313
copy SWITCH 201513
Login and interceptbull The velocity templates are under
13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm
are most used (no restart required)13
bull Additional custom pages can be added eg forexpiring passwords locked accounts etc
1413
Page 29
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy SWITCH 201513
Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName
1513
copy SWITCH 201513
Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt
end
1613
Page 30
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy SWITCH 201513
Hands On I bull make the IdP logo disappear for screens smaller than
799 px13 13
1713
copy SWITCH 201513
Hands On II bull return the following error message on the login form in
case of invalid username or incorrect password13
13ldquo The credentials you entered are incorrectrdquo1313
1813
Page 31
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy SWITCH 201513
Hands On III bull Start to adapt the loginvm in such way that it looks like
your production IdP13
1913
copy SWITCH 201513
Example Solution I bull define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull use the class in loginvmltimg class=idp_logo align=righthellipbull rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin
buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013
Page 32
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy SWITCH 201513
Example Solution IIbull Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13
2113
Page 33
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Attribute ResolutionMigrating configuration to version 3
SWITCHaai Teamaaiswitchch
1
Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding
copy 2015 SWITCH 2
Page 34
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Compatibility with version 2
Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug
Some deprecated elements are ignored
Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted
copy 2015 SWITCH
bull
bullbull
3
Why upgrade your configuration
No warning for using legacy configuration mode
Delete ignored elements
Grouping attribute definitions in separate files
Less misleading smaller files clearer
copy 2015 SWITCH
bullbullbull
4
Page 35
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Deprecated items
Principal connectors
NameID encoders
Transient identifier attribute definitions
Persistent identifier data connectors and attributedefinitions
All replaced by NameID generationcomsumption seenext presentation
copy 2015 SWITCH
bullbullbullbull
5
New features in version 3
Property replacement myproperty
Move passwords in a dedicated file
Extract duplicated data like URLs
Can split configuration into several files
External Spring configuration for data connectors
Activation conditions on attribute encoders attributedefinitions and data connectors
copy 2015 SWITCH
bullbullbull
bullbullbull
6
Page 36
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt
copy 2015 SWITCH 7
Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer
UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt
source Resource Registry
copy 2015 SWITCH 8
Page 37
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Hands-shyon 1 solutionattribute-shyresolver-shylocalxml
New file with
ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt
copy 2015 SWITCH 9
Hands-shyon 1 solutionattribute-shyfilter-shylocalxml
New file with
ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt
Doable in Resource Registry too
copy 2015 SWITCH 10
Page 38
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Hands-shyon 1 solutionservicesxml
Loads both new files
ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt
ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt
copy 2015 SWITCH 11
ScriptedAttribute differences
IdP API for scripts has changed
output attribute variable already created
setValues() removed
and more see ScriptedAttributeDefinition fordetails
Alternatives mapped or template attribute definitions
JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt
copy 2015 SWITCH
bullbullbullbull
bullbull
12
Page 39
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes
copy 2015 SWITCH 13
Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values
ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt
Add that new attribute to the definition ofeduPersonEntitlement
ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt
copy 2015 SWITCH 14
Page 40
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
References
Shibboleth wiki AttributeResolverConfiguration and itschild pages
Shibboleth wiki AttributeFilterConfiguration
Shibboleth wiki ScriptedAttributeDefinition
Rhino Migration Guide
copy 2015 SWITCH
bull
bullbullbull
15
Page 41
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Persistent IDs Configuration changes and database migration
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]
bull introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo
bull first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database
bull configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend
Persistent IDs in SAML ndash short recap
2
Page 42
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt
bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=
bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)
bull when used in a federation always qualified by the IdP and SP entity IDs
Persistent IDs in practice
3
copy 2015 SWITCH
bull no disruptive ones but a couple of things have happened behind the scenes
bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated
name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID
attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would
only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been
updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes
Persistent ID changes with the IdP v3
4
Page 43
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
bull configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder
bull to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml
bull to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml
bull finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)
Configuring the NameID generation service
5
copy 2015 SWITCH
bull the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends
PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)
bull ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql
bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump
Retaining persistent IDs from your v2 IdP
6
Page 44
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid
bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)
bull dump the shibpid table to a file purge the table with truncate and reimport the records
bull log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table
(Some ideas for) hands-on exercises
7
Page 45
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
User ConsentTransparency for attribute release
SWITCHaai Teamaaiswitchch
1
Part 1 Overview of user consent inIdP version 3
Part 2 Technical bits
copy 2015 SWITCH 2
Page 46
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
User consentTwo pieces
1 Attribute release consent [enabled]2 Terms of use consent [disabled]
Both prompt user on first access to every SP and againwhen attributes or terms change
copy 2015 SWITCH 3
Whats in version 3
Attribute release and terms of use consent now built in
Inspired by uApprove and uApproveJP plugins for v2
No consent data migration storage implementationsare not compatible
May be enabled or disabled per relying party and perprofile
Decisions logged
copy 2015 SWITCH
bullbullbull
bull
bull
4
Page 47
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Differences with uApprove
User can select attributes to release [disabled]
Consent duration choices1 Ask me again if information changes
= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]
No regular expression for SP whiteblack lists
No translations provided
copy 2015 SWITCH
bullbull
bullbull
5
Why enable user consent
Easier to have now with v3 than with v2
Required by SWITCHaai Interfederation AccessDeclaration
Inform users about what personal data is transmittedin a more real-shytime fashion
Recommended to comply with data protection laws
copy 2015 SWITCH
bullbull
bull
bull
6
Page 48
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Why (not) enable user consent
One more page to read and click through upon loginbut only the first time for each SP
Global consent disabled users cannot choose I dontcare about my privacy
Decide for all your users or let them decide
copy 2015 SWITCH
bull
bull
bull
7
When should consent be sought
All SPs the best option larr recommended
Outside your organisation good less clicks
Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland
copy 2015 SWITCH
bullbullbull
8
Page 49
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Part 2 Technical bits
copy 2015 SWITCH 9
Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides
Post-shyauthentication flows
Attribute consent [enabled]
Terms of use consent [disabled]
copy 2015 SWITCH
bullbull
10
Page 50
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]
ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt
copy 2015 SWITCH 11
Attribute consent configurationConfigured by Java properties inconfidpproperties
Consent duration options
Ask me again if information changesAlways available to users
Ask me again at next loginidpconsentallowDoNotRemember = true[true]
Do not ask me againidpconsentallowGlobal = false [true]
copy 2015 SWITCH
bull
bull
bull
12
Page 51
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Attribute consent configurationPer attribute behaviour
Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]
Ask again if attribute values changeidpconsentcompareValues = true [false]
copy 2015 SWITCH
bull
bull
13
Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml
White amp black lists
Which attribute to prompt for [all except black list]
White list [empty] When filled any attribute not mentioned in a list isreleased without asking
Black list [transientId persistentIdeduPersonTargetedID]
Pattern match [not defined] copy 2015 SWITCH
bull
bull
bull14
Page 52
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Intercept flow configurationAttribute display order (coming in version 320)
Alphabetical order by default
Except attributes in white list show up first
Set pattern to ^$ to catch all other attributes
Fully customised order implementjavautilComparatorltStringgt
copy 2015 SWITCH
bullbullbullbull
15
Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties
Terms for each SP
Default mapping using the entityID
httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []
Other mapping configurable but the key is stillentityID (default value available)
copy 2015 SWITCH
bull
bull
16
Page 53
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml
Provided bean mapping entityIDs to values [disabled]
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17
Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP
copy 2015 SWITCH 18
Page 54
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Hands-shyon solution
Enable terms-of-use flow in confrelying-partyxml
Change key bean in confinterceptconsent-intercept-configxml to
ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt
copy 2015 SWITCH
bull
bull
19
Hands-shyon solution
Add text in messagesconsent-messagesproperties
my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want
copy 2015 SWITCH
bull
20
Page 55
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
References
Shibboleth wiki ConsentConfiguration
Shibboleth wiki RelyingPartyConfiguration
Google Guava Functions class Javadoc
copy 2015 SWITCH
bullbullbull
21
Appendix Disabling attributeconsent prompt for particular SPs
copy 2015 SWITCH 22
Page 56
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Disabling prompt for particular SPsRelying party overrides
Template beans in confrelying-partyxml tomatch SPs by
name entityID
group ltEntitiesDescriptorgt in metadata
tag ltEntityAttributesgt metadata extension
First match wins order in confrelying-partyxml is significant
copy 2015 SWITCH
bull
bullbullbull
bull
23
Disabling prompt for particular SPsEntity attributes in metadata
Entity categories
GEacuteANT Data Protection Code of Conduct (CoCo)
REFEDS Research amp Scholarship
New attributes available
swissEduPersonHomeOrganization
swissEduPersonHomeOrganizationType
copy 2015 SWITCH
bullbullbull
bullbullbull
24
Page 57
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt
copy 2015 SWITCH 25
Example relying party overrideDisables flows for SPs belonging to a home organisation
ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt
copy 2015 SWITCH 26
Page 58
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
SWITCHaai Team aaiswitchch
Upgrades within Version 3
Its easy now
copy 2015 SWITCH
The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date
2
Page 59
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Upgrading Procedure
bull Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)
bull Unpack it at any convenient location (it wont be needed afterwards) bull Change into the newly created distribution directory bull Run bininstallsh to to upgrade the current deployment in optshibboleth-idp
bull Review any necessary changes (eg based on the information from SWITCH or from the release notes)
bull Run optshibboleth-idpbinbuildsh to re-build the warfile bull Restart Tomcat to activate the new version
Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice
3
copy 2015 SWITCH
Good to know bull There are two distinct areas below optshibboleth-idp
bull Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp
bull Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp
bull Never touch the the system directories system and webapp
bull Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes
4
Page 60
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
References Documentation bull Upgrading
httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull Release Notes
httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes
5
Page 61
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Updating the Home Organisation Description Changes in Resource Registry
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
What technically defines your Identity Provider in SWITCHaai or
eduGAIN
Its SAML2 Metadata
Page 62
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH 3
copy 2015 SWITCH
Does metadata change when IdP is upgraded
Fortunatly not but revising metadata still might cause some
minor changes
Page 63
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
IdPv2 vs IdPv3 Metadata
Endpoint URLs stay the same Unlike upgrade vom IdPv1 to IdPv2 Therefore no metadataResource Registry change needed in theory
However some changes still recommended 1 Review the Home Organisation Description 2 Change URL for Attribute Authority 3 Remove Unnecessary Endpoints
To change metadata change Home Organisation description Apply change in AAI Resource Registry httpsrraaiswitchch
5
copy 2015 SWITCH
Home Organisation Description
6
12 To review
3 To adapt
Page 64
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
1 Review the Home Organisation Description
In particular review and adapt if necessary 1 General Information
Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)
2 Descriptive Information Add new IP ranges and Domain Hints
5 Contacts Please ensure only non-personal email addresses are listed Ideally also
add helpdesk phone numbers
7 Attribute Release Settings Default attribute release policies Consider to release all RampS attributes
7
copy 2015 SWITCH
2 Change URL for Attribute Authority
Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)
8
Page 65
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
2 Change URL for Attribute Authority
New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why Easier configuration because only one Apache VirtualHost one domain name and one certificate no X509 client authentication needed anymore
(SP still checks IdP webserver certificate agains IdPs metadata) Attribute Queries are hardly used anymore
(but will become important again for support of edu-ID)
9
copy 2015 SWITCH
But how is the attribute query still secured without X509 client authentication by the Service
Provider SP signs attribute query request with
his private key the IdP checks signature with SPs public key in
metadata
Page 66
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
2 Change URL for Attribute Authority
What to adapt in Resource Registry then In 3 Technical Information change the URLs for Attribute Service Artifact Resolution Service
Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp
to httpsaai-loginexampleorgidp
11
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used
Candidates to remove Single Sign On Service with
SAML2 HTTP POST SimpleSign binding Artifact Resolution Service with SAML1 SOAP binding Attribute Service with SAML1 SOAP binding
But only remove them after verifying they are not used 12
Page 67
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
3 Remove Unnecessary Endpoints
How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time
13
Page 68
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
SWITCHaai Team aaiswitchch
Clustering IdPs High Availability and Load Balancing
copy 2015 SWITCH
Goals bull Operate the IdP on multiple servers to get high availability
andor load balancing bull Load balancing is especially desirable for IdPs with a lot of user logins
and a high load ie for large organizations bull A further usage is to avoid outages during maintenances A server
can be taken away without breaking the operation
bull Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull Users should not need to re-login if a server fails or is manually
removed from the cluster
2
Page 69
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Support for clustering in IdPv3
bull IdPv3 provides better support for clustering than IdPv2 bull Especially user login sessions are stored on the client instead of on
the server in memory bull Allows flexible configuration of various storage services (memory
server-side client-side)
bull In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull Full support for Attribute Query requires persistent storage of the
Persistent ID bull Storing user consents per browser is not convenient for users
bull Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering
3
copy 2015 SWITCH
Challenges
bull The setup of the IdP and the whole environment is more complex than with a single-server IdP
bull Special configuration of the IdP is required
bull Load balancing requires special hardware or software
bull IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism
4
Page 70
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH 5 5
Example Environment
copy 2015 SWITCH 6
Example Environment
Page 71
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Options bull Full-featured setup
Load Balancing Hardware vs DNS Round Robin Special load balancing hardware or software is highly recommended
bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored
bull Supports sticky sessions (required for short-lived conversation sessions)
DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions
bull Basic setup (ActiveStandby system) Anycast IP address
bull Fast switching possible but more complicated setup
Switching via DNS bull Switching takes some time (TTL) but setup is easy
7
copy 2015 SWITCH
Options bull Data storage client-side vs server-side Server-side database can store any data
bull But Might cause some performance penalty bull Centralizedclustered or replicated database required
Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers
There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution
8
Page 72
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Storage Entities bull Conversation Session (Profile Request Session)
bull Transient web flow at IdP eg SAML2 SSO Login sequence bull Bound to a single node (session state stored in memory) bull Requires session stickiness on load balancer (short-time only)
bull IdP User Session bull After a successful login at the IdP the IdP creates an associated user
session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)
bull Floatable between nodes (stored on client)
bull Persistent ID bull Unique opaque identifier for a user per service provider bull In a typical SWITCHaai deployment the Persistent ID is stored in a
database bull Requires that all IdPs access a common storage to fully support
Attribute Queries 9
copy 2015 SWITCH
Storage Entities bull User consent to attribute release and terms of use
bull Requires persistent storage (client-side or server-side) bull Requires server-side storage to allow the users to use multiple
browsersclients
bull SAML artifacts bull Requires a common storage The data must be available to all active
nodes to reliably support SAML 20 artifact bull Seldom used in SWITCHaai
bull Message replay cache bull Can be stored per node in memory but then it is limited to a single
node (Still this is the default configuration) bull For higher security requirements the message replay cache can be
managed in the central database or memcached might be used
10
Page 73
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Storage Recommendations
Storage Entity Recommended Storage
Scope
Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node
11
Remarks bull Common Database means some centralclustered database or a database replicated
between nodes bull SAML artifacts
Irrelevant if SAML 20 artifacts not usedrequired at all bull Alternatives for Message replay cache
Common Database or memcached (depending on security requirements)
copy 2015 SWITCH
IdP Configuration Storage bull The storage service to use per storage entity is specified
in optshibboleth-idpconfidpproperties bull IdP User Session idpsessionStorageService bull User Consents idpconsentStorageService bull SAML artifacts idpartifactStorageService bull Message replay cache idpreplayCacheStorageService
bull Exception Persistent ID bull Configured in optshibboleth-idpconfglobalxml
(bean PersistentIdStore)
12
Page 74
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
IdP Configuration Database Storage bull The storage service shibbolethJPAStorageService stores
data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml
bull The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used
13
copy 2015 SWITCH
IdP Configuration Secret Key Management bull The IdP User Session is stored in an encrypted cookie in
the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes
bull Setup bull Decide for a node that is responsible for generating the secret keys
and copying them to the other nodes bull Install an appropriate cronjob bull The documentation on the Shibboleth wiki contains some details
including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement
14
Page 75
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Further Notes bull Memcached
bull Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited
bull Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed
bull Terracotta bull No longer an option for IdPv3
15
copy 2015 SWITCH
Considerations for planning an IdP cluster
bull Which type of setup do you need Basic setup or full-featured setup
bull What kind of database do you need Does your institution already run some clustered relational database that you can make use of
bull Which additional hardware or software is required
bull Which further considerations are relevant for your institution
16
Page 76
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
References Documentation bull Clustering
httpswikishibbolethnetconfluencedisplayIDP30Clustering bull Secret Key Management
httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull Storage
httpswikishibbolethnetconfluencedisplayIDP30Storage
17
Page 77
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
SWITCHaai Team aaiswitchch
Resource Registry Interfederation via eduGAIN and Entity Categories
copy 2015 SWITCH
Goals bull Get an idea of the benefits when participating in
interfederation
bull Know what it takes to enable an IdP for Interfederation
bull Understand the concept of Entity Categories
bull Recognize how Entity Categories can help in a data protection conformant attribute release that scales
2
Page 78
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
SWITCHaai Team aaiswitchch
Interfederation Option What to consider before enabling an IdP for Interfederation
copy 2015 SWITCH
Why Interfederation bull Most Federations are of national scope
bull Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations
bull Research projects are mostly multi-national
bull Interconnecting national federations Interfederation
Register the IdP or SP in only one federation and enable it for interfederation bull Enable the IdP for interfederation
Its users will be able to access services from other federations bull Enable the SP for interfederation
The service can serve users from other federations
4
Page 79
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
All Academic Identity Federations Globally
5
Production Pilot Source httpsrefedsorgfederationsfederations-map
copy 2015 SWITCH
eduGAIN Status bull eduGAIN is the GEacuteANT
Interfederation Service
bull eduGAIN design principles bull Low barrier to entry bull No mandate to change local
standardsprocedures bull Minimal central infrastructure
bull Status June 2015 bull IdPs 1257 bull SPs 963
httpwwwedugainorg
httpstechnicaledugainorgstatusphp
Page 80
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Enabling Interfederation in the Resource Registry
7
httpswwwswitchchaaiinterfederation
Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration
SWITCH will enable the checkbox in the Resource Registry
copy 2015 SWITCH
Recommended Interfederation Attributes
8
Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation
eduPerson
staffstaffexampleorg
eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity
urnschachomeOrganizationTypeeuhigherEducationInstitution
eduPersonTargetedID Persistent Name ID
eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323
eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases
Page 81
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Enabling Interfederation (2)
9
httpswwwswitchchaaiinterfederation
copy 2015 SWITCH
eduGAIN What is it and how does it work
bull eduGAIN provides policy framework and standards to build trust bull SPs and IdPs of participating federations should opt-in for eduGAIN
bull Some federations decided for opt-out instead
bull MDS fetches aggregates and republishes metadata
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
Page 82
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
SWITCHaai Team aaiswitchch
Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS
copy 2015 SWITCH
Outline bull Entity category
bull GEacuteANT Data Protection Code of Conduct (CoCo)
bull REFEDS Research amp Scholarship (RampS)
bull Attribute release in the Resource Registry
12
Page 83
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use
bull Criteriabull Purposebull Policiesbull Or other
In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust
13
copy 2015 SWITCH
Metadaten
14
Page 84
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct
bull The method is based on the EU Data Protection directivesbull The SP has to provide a Privacy Policy (in English according to the guideline)bull That will encourage the Home Organisation IdP to release attributes attribute release will scale
Increase the trust in Service Providers (SPs)
Commit to
Commit to
SP
SP
SP Commit to
HO
HO
HO Learn SPrsquos commitment
Learn SPrsquos commitment
Learn SPrsquos commitment GEacuteANT Data
protection Code of Conduct
bull Data Protection Code of Conduct for SPs in EUEEAbull Entity category attribute definition for the Code of Conductbull SAML2 profile for the Data Protection Code of Conduct
Code of Conduct Toolkit
15
copy 2015 SWITCH
GEacuteANT Data Protection Code of Conduct bull Principles
bull Legal compliancebull Purpose limitationbull Data minimisationbull Deviating purposesbull Data retentionbull Third partiesbull Security measuresbull Information duty towards end userbull Information duty towards home organizationbull Security breachesbull Liabilitybull Transfer to third countriesbull Governing law and jurisdictionbull Eligibility to executebull Termination of the Code of Conductbull Survival of the clausesbull Precedence
16
Page 85
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Data Protection Code of Conduct (DP CoCo)
Normative documents bull Data Protection Code of
Conduct for SPs in EUEEAbull Entity category specification
for the DP CoCobull SAML2 profile for the DP CoCo
Non-normative informational documents bull Introductionbull Introduction to the DP directivebull Managing DP risks using CoCobull Privacy policy guidelines for SPsbull What attributes can an SP requestbull DP good practice for Home Organisations bull Federation operator guidelinesbull Handling non-compliancebull IdP informconsent GUI guidelines
17
httpwwwgeantneturidataprotection-code-of-conductv1
httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home
httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook
Cookbook for DP CoCo
copy 2015 SWITCH
Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct
18
Page 86
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
REFEDS Research amp Scholarship bull RampS SPs support
bull Research amp scholarship interactionbull Collaborationbull Management
bull No SPs from publishersbull Attributes
bull Personal identifiers email person name eduPersonPrincipalName
bull Pseudonymous identifier eduPersonTargetedIDbull Affiliation eduPersonScopedAffiliation
bull Minimal subset eduPersonPrincipalName mail person name
(person name = given name + surname OR displayName)
19
copy 2015 SWITCH
Comparison
20
REFEDS RampS GEacuteANT DP CoCo
Global Mainly Europe
Common purpose of the SPs
Common data protection standards
Fixed set of attributes SP can require any attributes
Page 87
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
SWITCHaai Team aaiswitchch
$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG
copy 2015 SWITCH
Attribute Release Rules
2
Page 88
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Attribute Release Settings (1)
3
Res
ourc
e R
egis
try ndash
E
dit H
ome
Org
aniz
atio
n D
escr
iptio
n ndash
Attr
ibut
e R
elea
se S
ettin
gs
copy 2015 SWITCH
Attribute Release Settings (2)
4
Page 89
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Overview of Log Files
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
Apache log files
Logfiles errorlog
aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)
accesslog aai-loginexampleorgaccesslog
Location varlogapache2Configuration defined in the virtual host definition
dir etcapache2sites-available file aai-loginexampleorgconf
2
Page 90
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Tomcat log files
catalinaout console output (Systemerrout) from Tomcat default Logging location varlogtomcat7 Config in etctomcat7loggingproperties
FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL
localhostYYYY-MM-DDlog
access information associated with a request (ip address time request method(GET or POST)
default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)
3
copy 2015 SWITCH
Shibboleth log files (1)
logging implementation called Logback Log4j successor Manual
o httplogbackqoschmanualindexhtml
Reloadability log level change without restart the idp servicesproperties
entry idpserviceloggingcheckInterval = PT5M
Automatic Email Alerts on Error 4
Page 91
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Shibboleth log files (2)
Location optshibboleth-idplogs
three classes of log files produced by default Diagnostic general audit and consent audit logs
idp-processlog detailed description of the IdP processing requests
idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing
records idp-consent-auditlog user decisions over attribute
release and terms of use acceptance 5
copy 2015 SWITCH
Shibboleth log files (3)
cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output
destination) and Layout Default settings usually ok Change it if required ie
o LDAP Auth Module or authentication events o new Logger or Appenderhellip
Log messages have 5 levels TRACE DEBUG INFO WARN ERROR
Logback handle rollover by default
6
Page 92
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
SMTPAppender in logbackxml
ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt
httplogbackqoschmanualappendershtml7
copy 2015 SWITCH
Hands On 1
Why is Tomcat not starting up
1 edit etctomcat7serverxml and insert listener in Server Element (wrong class)
lt Listener className=orgapachecatalinafilter gt
2 Restart Tomcat 3 Look at varlogtomcat7catalinaout
find the entry javalangClassNotFoundException
4 Remove listener from serverxml and restart Tomcat
8
Page 93
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Hands On 2
9
Find out why not all of the attributes appear
copy 2015 SWITCH
Hands On II
1 cd optshibboleth-idpconf2 edit ldapproperties and insert wrong value
Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)
3 edit logbackxml set log level to DEBUG for logger orgldaptiveauthAuthenticator insert additional logger for the attribute resolver
ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt
4 Restart Tomcat and log in to the IdP (AAI Demo Service) 5 Look at the idp-processlog and find the log entries -
[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]
6 Undo wrong value set $requestContextprincipalName and restart Tomcat
10
Page 94
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Reloading the Configuration New options with IdPv3
SWITCHaai Team aaiswitchch
copy 2015 SWITCH
bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)
bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)
bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check
Reloading the configuration with v2
2
Page 95
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
bull reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id
bull available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml
bull reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml
bull by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)
bull two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward
New reloading options with v3
3
copy 2015 SWITCH
shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector
definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in
the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml
shibbolethMetadataResolverService reloads the metadata list specified in servicesxml
shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file
Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)
Available bean IDs for service reloads
4
Page 96
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
bull the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the
changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required
when JSP files were changed with the IdP v2
And restartless login page editing too
5
copy 2015 SWITCH
bull changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)
bull changes to globalxml (SQL data source HTTP client settings) bull changes to the authentication configuration such as
LDAP parameters etc bull changes to optshibboleth-idpedit-webapp files
(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating
conditions such reconfigurations relatively rarely occur
Still requiring a restart with v3
6
Page 97
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
bull try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip
bull check what happens when specifying invalid bean IDs bull insert a syntax error into a configuration file and try
reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||
How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently
running IdP and Java version details to idp-processlog
(Ideas for) hands-on exercises
7
Page 98
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
SWITCHaai Team aaiswitchch
New Challenges with Interfederation SPs
Interfederation unites various cultures
copy 2015 SWITCH
Goals bull Get an idea of why access to an interfederated SP
might fail differently than in SWITCHaai
bull Understand what is different regarding bull Opt-in vs opt-out bull Metadata bull Discovery Service bull Attributes
bull Know whom to contact and where to get help
2
Page 99
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Interfederation Rollout Opt-in vs Opt-out bull Opt-in
bull IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date
bull Interfederation Metadata gets loaded bull IdP Additional attributes user consent bull SP Discovery Service attribute mapping access rules
⊖ Slow process oplus Entities unlikely to cause interoperability problems
bull Opt-out bull Federation announces a flag day for enabling interfederation
bull IdPs and SPs need to opt-out before bull if they do not want to participate bull if they are not ready yet
oplus Quick adoption ⊖ More likely that entities cause problems
unless they opted-out in before the flag day
3
Opt-in
Opt-out
copy 2015 SWITCH
Three Examples 1) UK Data Archive
httpwwwdata-archiveacuk 2) FUNET FileSender
httpsfilesenderfunetfi 3) Wiseflow
httpseuropewiseflownet
What is wrong in these examples 1) Unclear use of terminology at the SP to know whether interfederation is
supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out
2) eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN
3) eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN
4
Page 100
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Metadata bull Interfederated IdPs and SPs need additional metadata
bull SWITCHaai entities configure an additional metadata source signed with the same trust anchor
bull Opt-out federations integrate all entities into a single metadata file
bull Propagation speed of metadata changes bull In SWITCHaai two hours bull For interfederation one to a few days
bull Possible issue bull SP does not load interfederation metadata
bull SP does not know the IdP and fails
5
ltmetagtltdatagt
copy 2015 SWITCH
Discovery Service (DS) bull Within SWITCHaai
users easily find their IdP
bull An SP needs a DS that knows the appropriate set of IdPs bull An interfederation enabled SP registered in SWITCHaai
It needs to deploy a DS that includes interfederation bull Eg in the UK Federation the central DS lists always all interfederated
IdPs also for SPs that did opt-out bull That can result in this error message at your IdP
Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp
6
Page 101
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Attributes bull Missing attributes cause interoperation problems
bull Check SPs attribute requirements in the Resource Registry bull Verify that attributes were released (in IdPs auditlog)
bull If NO check your IdPs attribute release policy bull If YES
bull Were all required attributes released bull If YES SP has to check it out why it fails bull If NO review your attribute release policy
bull Another issue bull An SP failed because it was not able to decrypt the SAML assertion
that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier
7
copy 2015 SWITCH
Exploring interfederated entities bull Is a universitys IdP or an SP already interfederated
bull go to httpstechnicaledugainorgstatusphp bull pick the country where the entity might be registered bull under Metadata URL click on validate this metadata set then on show entities list
bull or search it in the eduGAIN List of Entities bull go to httpstechnicaledugainorgentitiesphp
bull or try the Is Federated Checker bull go to httpswikiedugainorgisFederatedCheck bull provide email addresses or domain names
bull Additional web pages of interest bull Which interfederated SPs are committed to the
GEANT Data Protection Code of Conduct (CoCo) bull go to httpmonitoredugainorgcoco
bull REFEDS Metadata Explorer Tool (MET)
bull go to httpsmetrefedsorg
8
Page 102
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
copy 2015 SWITCH
Troubleshooting interfederated entities bull Find an SP in the Resource Registry
bull go to httpsrraaswitchch bull pick Search for resources bull pick interfederation
bull or search it in the metadata file bull optshibboleth-idpmetadatametadatainterfederation-spsxml
bull Contact the SWITCHaai Team aaiswitchch
9
Page 103
Recommended