24
m p g a a i mpgaai workshop Shibboleth Identity Provider MPG-AAI – Hands On Workshop Clarin Centers Prague 2009 2009-11-06

Shibboleth Identity Provider - Clarin

  • Upload
    others

  • View
    5

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Shibboleth Identity Provider - Clarin

mpgaai

mpgaai workshop

Shibboleth Identity Provider

MPG-AAI – Hands On WorkshopClarin Centers Prague 2009

2009-11-06

Page 2: Shibboleth Identity Provider - Clarin

mpgaai

2

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

About Shibboleth Identity Provider

• Identity Provider Architecture & Components

• Installation – Integration to Apache & Tomcat

– IdP Web Application

– Initial Setup

• Authentication Configurations

• Join Federations

• Using Attributes– Attribute Resolver

– Attribute Filter

Page 3: Shibboleth Identity Provider - Clarin

mpgaai

3

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

IdP - Architecture & Components

• SSO-Service – checks session & login status

and in case

– redirects to configured Login Handler

– Login Handler authenticates user using Identity Management in place at the hosting/home site

• Attribute-Authority – resolves attributes

– filters retrieved attribute according to Release Policy (ARP)

– posts SAML assertions with authentication- & attribute-statement to requesting Service Provider © switch.ch

Page 4: Shibboleth Identity Provider - Clarin

mpgaai

4

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

Installation HowTos 4 Shibboleth-IdP

• Internet2https://spaces.internet2.edu/display/SHIB2/Installationhttps://spaces.internet2.edu/display/SHIB2/IdPInstallhttp://shibboleth.internet2.edu/documentation.html

• SWITCHhttps://www.switch.ch/aai/support/identityprovidershttp://www.switch.ch/aai/support/howto/

• DFN (de)https://www.aai.dfn.de/dokumentation/identity-provider/

• LRZhttp://www.lrz-muenchen.de/~hommel/ shibboleth/idp20_unter_sles10sp1.html

Page 5: Shibboleth Identity Provider - Clarin

mpgaai

5

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

Installation Layout

ShibbolethIdentity Provider

webapp

Apache httpd

certificate(public/private keys)

java

openSSL

relying-party.xml

mod_ssl

ref.

httpd.conf ref.

metadata.xml copy

Tomcat

server.xml

idp.xml

AJP

AuthN Attriubtes

IDM

Page 6: Shibboleth Identity Provider - Clarin

mpgaai

6

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

Apache Webserver Configuration

Listen 443<VirtualHost _default_:443> ServerName https://idp.mydomain.de UseCanonicalName On

SSLEngine on SSLCipherSuite ALL SSLVerifyDepth 10 SSLOptions +StdEnvVars +ExportCertData

SSLCertificateFile /opt/mpgaai/httpd/conf/ssl.crt/idp.crt SSLCertificateKeyFile /opt/mpgaai/httpd/conf/ssl.key/idp.key SSLCACertificatePath /etc/ssl/certs

ProxyPass /idp/ ajp://localhost:8009/idp/ <Location /idp> Order Deny,Allow Allow from all </Location>

</VirtualHost>

• httpd-vhost.conf

Page 7: Shibboleth Identity Provider - Clarin

mpgaai

7

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

Apache - ssl “proxy” through firewall

...Listen 443<VirtualHost _default_:443> SSLEngine on #... # sample virtual ssl proxy configuration SSLProxyEngine on RewriteEngine On RewriteOptions Inherit RewriteRule ^/idp/(.*) https://internalserver:443/idp/$1 [P] SetEnv force-proxy-request-1.0 1 SetEnv proxy-nokeepalive 1 ...

DMZ

httpdhttpd

Service ProviderWWW

Page 8: Shibboleth Identity Provider - Clarin

mpgaai

8

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

Tomcat Servlet Container Configuration

Listen 443<VirtualHost _default_:443> ServerName https://idp.mydomain.de UseCanonicalName On

SSLEngine on SSLCipherSuite ALL SSLVerifyDepth 10 SSLOptions +StdEnvVars +ExportCertData

SSLCertificateFile /opt/mpgaai/httpd/conf/ssl.crt/idp.crt SSLCertificateKeyFile /opt/mpgaai/httpd/conf/ssl.key/idp.key SSLCACertificatePath /etc/ssl/certs

ProxyPass /idp/ ajp://localhost:8009/idp/ <Location /idp> Order Deny,Allow Allow from all </Location>

</VirtualHost>

• server.xml${CATALINA_HOME}/server.xml

idp.xml${CATALINA_HOME}/conf/Catalina/localhost/idp.xml

# enable AJP connector <Connector port="8009" request.tomcatAuthentication="false" address="127.0.0.1" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

<?xml version="1.0" encoding="UTF-8"?>

<Context docBase="/opt/mpgaai/shibboleth-idp2/war/idp" privileged="true" antiResourceLocking="false" antiJARLocking="false" unpackWAR="true"/>

path to web application dir

Page 9: Shibboleth Identity Provider - Clarin

mpgaai

9

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

Shibboleth SP – Main Config Files

• relying-party.xml– core configuration of Shibboleth Identity Provider

• attribute-resolver.xml– definition of applicable attributes

– connectors to actual data sourceslike LDAP, Database

• attribute-filter.xml– filtering of published attributes: checks for attribute names and values

– allows fine grained control which attribute are released for different Service Providers

• metadata– describes the federation: participating entities, communication endpoints

• login.config (jaas.conf)– configuration of Java Authentication & Authorization Service

Page 10: Shibboleth Identity Provider - Clarin

mpgaai

10

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

Initial Setup

• relying-party.xml– relying party, entity-ID:

AnonymousRelyingParty.provider, DefaultRelyingParty.provider

– CredentialsX.509 Certificate - Public/Private-Key

– Metadata Provider

• handler.xml – Login Handler

Remote User, Username-Password...

• idp-metadata.xml – entity-ID

– certificates

• Status Test https://idp.example.org/idp/profile/Status

Page 11: Shibboleth Identity Provider - Clarin

mpgaai

11

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

Connecting to Identity Managment

• the IdP can plug on to existing Identity Management System (IDM)– Connectors to directory services (LDAP, AD), databases

– optional custom connectors

• separate connectors for authentication or attribute resolving possible

• two integration models for authentication– external (“old” Shibboleth 1.x style)

using apache webserver or tomcat-realm

– internal (Shibboleth-2.x, recommended) (http) form-based, using JAAS

• handler.xml – Login Handler

<!-- Username/password login handler --><LoginHandler xsi:type="UsernamePassword" jaasConfigurationLocation="file:///etc/aai/login.config"> <AuthenticationMethod> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </AuthenticationMethod> </LoginHandler>

Page 12: Shibboleth Identity Provider - Clarin

mpgaai

12

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

Authentication – IdP & JAAS

• login.config / jaas.conf

more about jaas: http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/

/* sample LDAP authN config */ ShibUserPassAuth { edu.vt.middleware.ldap.jaas.LdapLoginModule sufficient host=“ldap.example.org" port="636" base=“dc=example,dc=org" ssl="true" userField="uid" subtreeSearch="true" ;};

// alternative Kerberos configShibUserPassAuth { com.sun.security.auth.module.Krb5LoginModule sufficient java.security.krb5.realm="IPP-GARCHING.MPG.DE" refreshKrb5Config=true ; };

Page 13: Shibboleth Identity Provider - Clarin

mpgaai

13

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

Join a Federation...

• Federations and trust between participants are enforced via metadata

• those metadata define the participating entitiesand their communication endpoints (SAML Profiles, “Service URLs “)

• any enitity (IdP or SP) can join multiple federations

• to join federations – get your IdP metadata right:

• see ${IDP-HOME}/metadata/idp-metadata.xml

• check your entity-ID and certificate (compare to your settings in relying-party.xml)

– and publish them to the federation (its participants): there is no auto-process, you have to do that “manually”

– import the federation metadata to your IdP https://spaces.internet2.edu/display/SHIB2/IdPMetadataProvider relying-party.xml – MetadataProvider (→ next slide)

Page 14: Shibboleth Identity Provider - Clarin

mpgaai

14

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

… Join a Federation

<MetadataProvider xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"id="ShibbolethMetadata" >

<MetadataProvider id="MPGAAI"xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"metadataURL="https://services.aai.mpg.de/metadata/mpgaai-metadata.xml"backingFile="/opt/mpgaai/shibboleth-idp2/metadata/mpgaai-metadata.xml">

</MetadataProvider>

<MetadataProvider id="DEISA2" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" metadataURL="http://deisa2.grid.sara.nl/federation-metadata.xml"backingFile="/opt/mpgaai/shibboleth-idp2/metadata/deisa2-metadata.xml">

</MetadataProvider>

<MetadataProvider id="InternalMetadata" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"metadataFile="/opt/mpgaai/metadata/oiosaml-metadata.xml" />

</MetadataProvider>

“chaining-provider”: allows multiple provider

auto-download federation MD

from central location

static (filesystem) metadata file

2nd federation

Page 15: Shibboleth Identity Provider - Clarin

mpgaai

15

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

Attributes Handling

• IdPs provide SAML authentication- & attributes-Assertion

• fine grained control which attributes are released to whom

• Attributes based on standard object classes, e.g. eduPerson, inetOrgPerson...

• Attribute Management split in two steps:– Attribute Resolver

• fetches attribute data from external sources, like LDAP, databases

• attributes are converted & mapped to URNs

• multiple data sources and complex formatting possible

– Attribute Filter

• filtering based on rules with flexible matching conditions

• allows fine grained, complex filter scenarios

Page 16: Shibboleth Identity Provider - Clarin

mpgaai

16

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

Attribute Resolver – Attribute Definition

• attribute-resolver.xml

– several dependencies possible (e.g. as failover)

<resolver:AttributeDefinition id="epTargetedID" xsi:type="SAML2NameID" xmlns="urn:mace:shibboleth:2.0:resolver:ad"nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"

sourceAttributeID="persistentID">

<resolver:Dependency ref="userDB" />

<resolver:AttributeEncoder xsi:type="SAML1XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"name="urn:mace:dir:attribute-def:eduPersonTargetedID" />

<resolver:AttributeEncoder xsi:type="SAML2XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />

</resolver:AttributeDefinition>

attribute identifier

reference to data source attribute

reference to data connector

encoder to SAML 1URN based naming

encoder to SAML 2URN based namingusing standard OIDs

attribute typesSaml2NameID,Simple, Scoped

Page 17: Shibboleth Identity Provider - Clarin

mpgaai

17

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

Attribute Resolver – Data Connectors...

• attribute-resolver.xml

# enable AJP connector <Connector port="8009" request.tomcatAuthentication="false" address="127.0.0.1" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

<?xml version="1.0" encoding="UTF-8"?>

<Context docBase="/opt/mpgaai/shibboleth-idp2/war/idp" privileged="true" antiResourceLocking="false" antiJARLocking="false" unpackWAR="true"/>

<!-- sample LDAP connector --><resolver:DataConnector id="myLDAP" xsi:type="LDAPDirector" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldapURL="ldaps://ldap.gwdg.de" baseDN="O=GOESTERN" principal="cn=roadmin,o=GWD" principalCredential="secret"> <FilterTemplate> <![CDATA[ (uid=$requestContext.principalName) ]]> </FilterTemplate></resolver:DataConnector>

<!-- sample STATIC connector --><resolver:DataConnector id="myStaticData" xsi:type="Static" xmlns="urn:mace:shibboleth:2.0:resolver:dc"> <Attribute id="epOrgDN"> <Value>O=Max Planck Society,DC=mpg,DC=de</Value> </Attribute>></resolver:DataConnector>

Page 18: Shibboleth Identity Provider - Clarin

mpgaai

18

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

...Attribute Resolver – Data Connectors

• attribute-resolver.xml

multiple dataconnectors to different datasources possible

<!-- sample LDAP connector --><resolver:DataConnector id="myLDAP" xsi:type="LDAPDirector" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldapURL="ldaps://ldap.gwdg.de" baseDN="O=GOESTERN" principal="cn=roadmin,o=GWD" principalCredential="secret"> <FilterTemplate> <![CDATA[ (uid=$requestContext.principalName) ]]> </FilterTemplate></resolver:DataConnector>

<!-- sample STATIC connector --><resolver:DataConnector id="myStaticData" xsi:type="Static" xmlns="urn:mace:shibboleth:2.0:resolver:dc"> <Attribute id="epOrgDN"> <Value>O=Max Planck Society,DC=mpg,DC=de</Value> </Attribute>></resolver:DataConnector>

<!-- sample DATABASE connector --><resolver:DataConnector id="userDB"

xsi:type="RelationalDatabase"xmlns="urn:mace:shibboleth:2.0:resolver:dc"><ApplicationManagedConnection

jdbcDriver="com.mysql.jdbc.Driver"jdbcURL="jdbc:mysql://userdb.example.org/userdb" jdbcUserName="userdb" jdbcPassword="secret" />

<QueryTemplate><![CDATA[

SELECT * FROM student WHERE uid = $requestContext.principalName

]]></QueryTemplate><Column columnName="username" attributeID="uid" /><Column columnName="name" attributeID="sn" /><Column columnName="email" attributeID="email" />

</resolver:DataConnector>

mapping colunm to attribute

resolving data -query by username

Page 19: Shibboleth Identity Provider - Clarin

mpgaai

19

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

TargetedID & StoredId-Connector

• attribute-resolver.xml(generated) targetedID differs for each Service Provider

<!-- StoredID (persistentID) Connector --><resolver:DataConnector id="myStoredId"

xsi:type="StoredId" xmlns="urn:mace:shibboleth:2.0:resolver:dc"

generatedAttributeID="persistentID"

sourceAttributeID="username"

salt="DGFJhijfgDzY3JsMIHWBggr" >

<resolver:Dependency ref="userDB" />

<ApplicationManagedConnection jdbcDriver="com.mysql.jdbc.Driver"jdbcURL="jdbc:mysql://localhost:3306/idp?autoReconnect=true"jdbcUserName="idp" jdbcPassword="secret" />

</resolver:DataConnector>

destined attribute ID

source attribute of original username

salt for encryption

data connector to username source

database (conn.)where IdP remembersmultiple generated

targetedIDs for each user

Page 20: Shibboleth Identity Provider - Clarin

mpgaai

20

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

Using Attributes - Policy/Filter

• attribute-filter.xmlfilters attributes due to configured publishing rules

– AttributeFilterPolicy defines several policies according to your requirementshttps://spaces.internet2.edu/display/SHIB2/AFPAttributeFilterPolicy

– PolicyRequirementRulespecifies when an AttributeFilterPolicy applieshttps://spaces.internet2.edu/display/SHIB2/AFPPolicyRequirementRule

– AttributeRulespecifies the rules for each attributehttps://spaces.internet2.edu/display/SHIB2/AFPAttributeRule

– PermitValueRuledefines which values of (which) attributes are acceptedhttps://spaces.internet2.edu/display/SHIB2/AFPPermitValueRule

Page 21: Shibboleth Identity Provider - Clarin

mpgaai

21

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

Attribute Filter – trivial sample

• attribute-filter.xmlallows fine grained filtering due to conditioning rules

<!-- release to anyone --><AttributeFilterPolicy id="releaseToAnyone">

<PolicyRequirementRule xsi:type="basic:ANY" />

<AttributeRule attributeID="organizationName"><PermitValueRule xsi:type="basic:ANY" />

</AttributeRule>

</AttributeFilterPolicy>

<!-- rules for MPG-AAI federation --><AttributeFilterPolicy>

<PolicyRequirementRule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="urn:mace:shibboleth:mpgaai" />

<AttributeRule attributeID="epTargetedID" ><PermitValueRule xsi:type="basic:ANY" />

</AttributeRule>

</AttributeFilterPolicy>

filter policy enforced in any case

allow/release any value

filter policy applies for all SPs in the

mpg-aai federation

Page 22: Shibboleth Identity Provider - Clarin

mpgaai

22

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

Attribute Filter - advanced

• attriubte-filter.xml

<!-- shared rule for affiliation values --><afp:PermitValueRule id="epAffiliationValues" xsi:type="basic:OR">

<Rule xsi:type="AttributeValueString" value="faculty"/><Rule xsi:type="AttributeValueString" value="student"/><Rule xsi:type="AttributeValueString" value="staff"/>

</afp:PermitValueRule>

<!-- rules for multiple federation --><AttributeFilterPolicy>

<PolicyRequirementRule xsi:type="basic:OR"><basic:Rule xsi:type="saml:AttributeRequesterString"

value="sp2_rzg_mpg_de" /> <basic:Rule xsi:type="saml:AttributeRequesterString"

value="sp_fkf_mpg_de" /></PolicyRequirementRule>

<AttributeRule attributeID="epScopedAffiliation" ><RuleReference ref="epAffiliationValues"/>

</AttributeRule>

</AttributeFilterPolicy>

specifies fix setof allowed values

filter policy appliesfor all named

Service Provider

values must match all referenced allowed values

Page 23: Shibboleth Identity Provider - Clarin

mpgaai

23

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

Outlook

• Shibboleth IdP 2.2

– Single Logout functionality (SAML-conform SLO, partly already implemented)

– ECP profile of SAML 2.0 (Enhanced Client or Proxy / Delegation e.g. SOAP, …)

– X.509 and other authentication mechanisms

• native support for privacy enhancements like uApprove

• dynamic generation of metadata at the IdP (as available for the SP)

• integration of user-centric Identity Management (CardSpace, OpenID)?

• maybe support for desktop applications? e.g. using ECP?

Page 24: Shibboleth Identity Provider - Clarin

mpgaai

24

2009·11·06

MPG-AAI - Hands On – Shibboleth IdP

Thanks & Discussion

Questions, Discussion...

- Thank You for Your Attention -