Overview of Shibboleth Service - University of ... Overview of Shibboleth Service Shibboleth is an open

  • View
    1

  • Download
    0

Embed Size (px)

Text of Overview of Shibboleth Service - University of ... Overview of Shibboleth Service Shibboleth is an...

  • Overview of Shibboleth Service Shibboleth is an open source software package, maintained by Internet2, which establishes standards for authentication and authorization within or across organizational boundaries.

    Examples:

    Within Organizational Boundary: UBC users will be able to use their CWL accounts to access web applications owned by UBC faculties and departments.

    Across Organizational Boundary: UBC users will be able to use their CWL accounts to access prequalified Shibboleth-enabled applications at remote institutions (e.g. University of Toronto). Organizations join Shibboleth Identity Federations, which establishes parameters of mutual trust that the member institutions can adhere to.

    Core components for enabling Shibboleth authentication and authorization:

    Shibboleth Identity Provider: Either stores user identities or acts as an intermediary to the identities data store (e.g. CWL). The Identity Provider performs authentication and generates the user’s Shibboleth account attributes. The UBC-IT Identity Provider allows users to authenticate with their CWL accounts.

    Shibboleth Service Provider: Shibboleth-enabled applications use Service Providers to obtain details on users from their home institutions (e.g. UBC). In turn, the Service Provider interacts with the Identity Provider to obtain details on the user. Communication between the Service Provider and Identity Provider is with the Security Assertion Markup Language (SAML) over HTTPS.

    Shibboleth Identity Federation: An Identity Federation is an agreement between institutions wishing to allow sharing across all parties. The federation sets the standards on common set of acceptable authorization attributes and an XML schema to describe them.

    “Where Are You From” (WAYF) Service or Discovery Service (only for federated access): Identity Federations will maintain WAYF services which lists all the Identity Providers belonging to the federation. The WAYF service allows users to select the Shibboleth Identity Provider of their home institution.

    http://shibboleth.internet2.edu/

  • How Shibboleth Works at UBC UBC-IT has implemented a Shibboleth Identity Provider that allows users to authenticate with their CWL accounts. Prequalified Shibboleth-enabled applications can integrate with the UBC-IT Identity Provider to enable CWL users to access the application.

    High-level Steps for Shibboleth Authentication and Authorization with the UBC-IT Identity Provider within UBC Organizational Boundary

    1. User navigates web browser to access a Shibboleth-enabled application and clicks on the login link. 2. User’s browser is redirected to the CWL login page; user enters CWL login name and password. If the login name and

    password combination is correct; the user’s browser is redirected to the UBC-IT Identity Provider. 3. User’s browser is redirected to the application; the application queries the Service Provider to obtain details on the user

    and determines if authorization is to be granted.

    Figure 1: High-Level Overview on Shibboleth Authentication and Authorization within UBC

    High-level Steps for Shibboleth Authentication and Authorization with the UBC-IT Identity Provider across Organizational Boundaries

    1. User navigates web browser to access a Shibboleth-enabled application and clicks on the login link. 2. The application redirect’s the user’s web browser to the Identity Federation’s ‘Where Are You From” (WAYF) server; user

    selects “University of British Columbia” from the list of institutions.

  • 2. The application redirect’s the user’s web browser to the Identity Federation’s ‘Where Are You From” (WAYF) server; user selects “University of British Columbia” from the list of institutions.

    3. User’s browser is redirected to the CWL login page; user enters CWL login name and password. If the login name and password combination is correct; the user’s browser is redirected to the UBC-IT Identity Provider.

    4. User’s browser is redirected to the application; the application queries the Service Provider to obtain details on the user and determines if authorization is to be granted.

    Figure 2: High-Level Overview on Shibboleth Authentication and Authorization across Organizational Boundaries

  • Service Level Availability The UBC-IT Shibboleth IdP’s application layer is hosted on a load balanced and clustered environment with three servers, which can be scaled as required.

    The IdP references a database where authentication is conducted and account attributes are retrieved. There is work in progress to ensure database high availability, and until such time, there may be occasions when the IdP may not be available, due to database unavailability or maintenance.

    Please keep this in mind when planning service availability for your application, as users will not be able to authenticate, when the IdP's database is offline.

  • Authentication and Authorization

    Authentication and Authorization Access to a Shibboleth Integration Partner’s application consists of authentication and authorization.

    Authentication

    A user must have a CWL account to access a Shibboleth-enabled application that is integrated to the UBC-IT Identity Provider. The process of verifying the user’s login name and password is called authentication. The authentication process is carried out by the UBC-IT Identity Provider after a user enters their account credentials in the login page (figure 1 below).

    Authorization

    Shibboleth Integration Partners may want to restrict access to their applications to a select set of CWL accounts. The process of restricting access to a select set of CWL users is called authorization. The UBC-IT Identity Provider returns Shibboleth attributes, which give identity data on the CWL account. The Integration Partner and UBC-IT will agree on the set of attributes returned in advance of integration. Authorization compliance is the responsibility of the Shibboleth Integration Partner’s application.

    Figure 1: The UBC-IT Shibboleth IdP's Login Page

  • Managing Authorization Shibboleth Integration Partners may restrict access to their application, to a subset of CWL accounts, based on the account's attributes. The process by which an application restricts access to a subset of CWL accounts is called authorization.

    Restriction of access is determined based on information derived from a user’s CWL account and retrieved by the Service Provider. Examples of access restrictions are:

    Restrict access to CWL accounts with student affiliation

    eduPersonScopedAffiliation value: student@ubc.ca.

    Restrict Access to CWL accounts with faculty or staff affiliation

    eduPersonScopedAffiliation value: faculty@ubc.ca, staff@ubc.ca.

    Restrict Access to CWL accounts (all affiliations)

    eduPersonScopedAffiliation value: faculty@ubc.ca, staff@ubc.ca, student@ubc.ca, employee@ubc.ca, affiliate@ubc.ca

    Message to Display when Authorization Access is Denied

    When a user is denied access to a Shibboleth Integration Partner’s application, after successfully authenticating with their CWL account, an access denied error message will be displayed by the application.

    The access denied error message will list the contact information where users can direct enquiries regarding accessing the application. The message also informs users that the issue is not related to their CWL accounts and resides with access control permissions on the application they are trying to access.

    Example of Authorization Error Message:

    Access Denied. You have successfully logged in but you do not have access to the application.

    If you are experiencing any issues regarding the , please contact

  • Connection Details - Verification and Production Environment There are two UBC-IT Identity Provider environments available for Shibboleth Integration Partners: production and verification. All pre-production integration work is carried out in the verification environment.

    The production and verification environments maintain separate sets of permission levels, CWL accounts, and connection URLs.

    Table 2: Connection Details for the UBC-IT Identity Provider’s Production and Verification Environments

    Environment → Metric ↓

    Production Verification

    Description Only to be used when an application has been approved for production.

    For all pre-production integration work and testing.

    Label on WAYF Service University of British Columbia N/A

    Shibboleth Identity Federation Canadian Access Federation (CAF) N/A

    Shibboleth Identity Provider Version 2.2 2.2

    Entity Id https://shibboleth2.id.ubc.ca/idp/shibboleth https://shibboleth2.id-verf.ubc.ca/idp/ shibboleth

    Artifact Resolution Service (SAML v2)

    https://shibboleth2.id.ubc.ca:8443/idp/ profile/SAML2/SOAP/ArtifactResolution

    https://shibboleth2.id-verf.ubc.ca:8443/ idp/profile/SAML2/SOAP/ ArtifactResolution

    Single Sign-On Service https://shibboleth2.id.ubc.ca/idp/profile/ Shibboleth/SSO

    https://shibboleth2.id-verf.ubc.ca/idp/ profile/Shibboleth/SSO

    Attribute Service https://shibboleth2.id.ubc.ca:8443/idp/ profile/SAML2/SOAP/AttributeQuery

    https://shibboleth2.id-verf.ubc.ca:8443/ idp/profile/SAML2/SOAP/AttributeQuery

    Organization Name University of British Columbia University of British Columbia - Test

    Organization Display Name University of British Columbia University of British Columbia - Test

    Organization URL http://www.ubc.ca http://www.ub