Shibboleth Configuration in T¼bingen - Clarin

Konferenz XYZ, 1.1.2012, Ort

Shibboleth Configuration in Tübingen

Thomas Zastrow Yana Panchenko


•  The university Tübingen is member of the DFN AAI

•  The computing center in Tübingen runs a centralized IDP for the whole university

•  In the SfS, a Shibboleth service provider was installed: •  https://weblicht.sfs.uni-tuebingen.de •  http://weblicht.sfs.uni-tuebingen.de still hosts

the old D-SPIN homepage

2

Konferenz XYZ, 1.1.2012, Ort 3

Weblicht.sfs... amber.sfs...

Apache HTTPD + Shibboleth

Tomcat •  WebLicht •  TCF Visualizer •  DCA

Proxy

Tomcat •  Webservices •  Databases •  Resources •  SOAP Gateway •  ...

Proxy

Two servers are running the main services for CLARIN‐D:


Requirements for a SP

4

•  Certificates from the DFN-AAI, integrated into OpenSSL

‐‐‐‐‐BEGIN CERTIFICATE‐‐‐‐‐ MIIFpzCCBI+gAwIBAgIED+vXfzANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJE RTEfMB0GA1UEChMWVW5pdmVyc2l0YWV0IFR1ZWJpbmdlbjEcMBoGA1UEAxMTR2xv YmFsLVVOSVRVRS1DQSAwMTEpMCcGCSqGSIb3DQEJARYadW5pdHVlLWNhQHVuaS10 dWViaW5nZW4uZGUwHhcNMTAwNDE5MTMyNjA3WhcNMTUwNDE4MTMyNjA3WjCByzEL MAkGA1UEBhMCREUxHzAdBgNVBAoTFlVuaXZlcnNpdGFldCBUdWViaW5nZW4xKDAm BgNVBAsTH1NlbWluYXIgZnVlciBTcHJhY2h3aXNzZW5zY2hhZnQxDjAMBgNVBAsT BURTUElOMREwDwYDVQQLEwhXZWJMaWNodDEmMCQGA1UEAxMdd2VibGljaHQuc2Zz LnVuaS10dWViaW5nZW4uZGUxJjAkBgkqhkiG9w0BCQEWF2VoQHNmcy51bmktdHVl YmluZ2VuLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJJ+lISL liCGHMdtC5EKdkSPkZIEfGf6u0I2YT+u/bX37XL4yOvmMxJxRLQM4oEvnE67n8k8 4qe06B8xErFh3KqgC5Q5keUlQmXJu4wvABnk9AuxlwJKuGXI3PetBYdid10A7Iu 3Ki0s3j7+7yYTG6xXJt4qrE7rV/v79zBQcoKOwu1AMdfV9q8GRShEXCQ82P4IITT Q4z513p1e0mscDdBIunH6aThNCJA9rUBwEVX90HX5KHaOPSksHISylhjl/++XJFy /0wBpiZ4+7pN2S/go9J8A153NZSPhF2M5deyWgjT/K2LSudLnegIlRFTq1Kv89eE bF/ZaHuNvakbqQIDAQABo4IB5DCCAeAwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAw HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBRmWkIAb3Vr zkTtELxvwSx4nngcUDAfBgNVHSMEGDAWgBSwwbtoNX/i1kGcGnGv4PxBNM3DqDAi BgNVHREEGzAZgRdlaEBzZnMudW5pLXR1ZWJpbmdlbi5kZTCBkwYDVR0fBIGLMIGI MEKgQKA+hjxodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2NsYXNzaWMtdW5pdHVlLWNh L3B1Yi9jcmwvZ19jYWNybC5jcmwwQqBAoD6GPGh0dHA6Ly9jZHAyLnBjYS5kZm4u ZGUvY2xhc3NpYy11bml0dWUtY2EvcHViL2NybC9nX2NhY3JsLmNybDCBrAYIKwYB BQUHAQEEgZ8wgZwwTAYIKwYBBQUHMAKGQGh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUv Y2xhc3NpYy11bml0dWUtY2EvcHViL2NhY2VydC9nX2NhY2VydC5jcnQwTAYIKwYB BQUHMAKGQGh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvY2xhc3NpYy11bml0dWUtY2Ev cHViL2NhY2VydC9nX2NhY2VydC5jcnQwDQYJKoZIhvcNAQEFBQADggEBAGxJyokA uUwUFzvszzutQNicSlWWHmrB6g63cRkbgBMsNGFwIyhrizCJtPYTDAbJ1lG2PrYj YpbhHR4892JIAm1IkyR4sJvAKXgnzNHtTy1ZTmlP7BjekPb6pcSRWAra84A+bOWY +Q3KRITfEcUfsFw/PWYO8qwDurTWGBK3ReWkwLJ9y89XZDXQZt4A9RQnnBvnC7RU kLkAmxRV27neEuG8eh0tuFXStHuLbClnNnHaAt1c8m2awjWCWShG5cTR99muSJTc NGifdwt0qWax50ASplgOtT/GZAw2E7HEEgbDA+6JcKpVlh+UMnk2JN+nkkKUjgnD wN2yHSwHNNMiiGY= ‐‐‐‐‐END CERTIFICATE‐‐‐‐‐



Tübingen Software Environment

•  Shibboleth Version 2.x •  Apache 2: •  mod_ssl, shib2 enabled

•  DFN tutorial: •  https://www.aai.dfn.de/dokumentation/service-

provider/

6


Configuration

•  Virtual host in Apache (SSL): <Directory /var/www/login_s/> AuthType shibboleth ShibRequireSession On Require valid-user </Directory> -> https://weblicht.sfs.uni-tuebingen.de/login_s/

•  Shibboleth configuration: •  /etc/shibboleth/shibboleth2.xml

7


hfps://weblicht.sfs.uni‐tuebingen.de/login_s/


Local Authentification

•  In addition to the Shibboleth login, there is another login way which makes use of the local Apache user management

•  Its necessary because many CLARIN users don't have an account in the CLARIN identity federation

9


PHP: Display all server based variables

<? $email = $_SERVER["eppn"]; echo "Wer bin ich: $email"; echo '<table border="1">'; foreach($_SERVER as $k => $v) { echo '<tr><td>'.$k.'</td><td>'.$v.'</td></tr>'; } echo '</table>'; ?>

10


SAML Tracer

•  SAML Tracer is an addon for Firefox: •  https://

addons.mozilla.org/en-US/firefox/addon/saml-tracer/

11


Conclusion

•  The computing center in Tübingen was very helpful

•  Also the people from the DFN AAI – join the mailing lists!

12


Conclusion

•  Attributes: it is not sure which attributes a SP gets from the IDPs

•  Next step: secure web services and delegation

13


Delegated Authentication with Shibboleth

•  Delegated authentication model among SAML-enabled services since Shibboleth v2.1.3: •  uses SAML2.0 Enhanced Client profile (ECP)

for delegation •  multi-tier delegation possible

14


•  Use case for WebLicht: •  App1, WS2, WS3, WS4 are all protected with

Shibboleth within Clarin federation •  App1 - WebLicht web application for chaining

NLP tools •  WS2 - tokenizer from Uni 2 •  WS3 - tagger from Uni 3 •  WS4 - resources from Uni 4 used by WS3 for

tagging

15


•  recognize both the original client App1/WS3 and the subject (user) and the fact that "delegate" client is accessing it on behalf of that subject

•  as a result know that the user is signed-in and know the user identity

•  can control or limit access of the user based on the user (and optionally the client) identity

•  can apply internal authorization based on the user identity

16

User App1 WS2

WS3 WS4


•  Complications: •  Shibboleth above v2.1.3 is required •  requires additional relatively complicated •  configuration for all the participating parties: •  for IdP, for SPs that can delegate, for SPs that

accept delegation •  not possible to specify that delegation from all SPs

to all SPs is allowed •  I.e. each web service should know and specify in

advance which other web service it can access, and by which other web service it can be accessed

17


•  What is possible with Shibboleth at the moment:

18

Free

Academic Community

Other restrictions / licenses


Shibboleth & Tomcat

•  There are some third-partie libraries which allow to integrate Shibboleth directly into Tomcat •  But: They are not official, there could be

problems with versions, security etc.

•  Solution: use an Apache HTTPD for the Shibboleth functionality and put Tomcat behind it, accessing Tomcat via mod_proxy_ajp

19


•  Apache HTTPD runs on port 443 with SSL: •  https://myserver.de/

•  Tomcat runs on localhost on port 8080 (or another one): •  http://localhost:8080/myapplication

•  With the proxy: •  https://myserver.de/myapplication

20


<Location "/soapGate/"> Order Allow,Deny Allow from All ProxyPassReverse ajp://amber.sfs.uni-tuebingen.de:8009/soapGate </Location> ProxyPass /soapGate ajp://amber.sfs.uni-tuebingen.de:8009/soapGate

21

Documents

Shibboleth Configuration in T¼bingen - Clarin