Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
mpgaai
mpgaai workshop
Shibboleth Identity Provider
MPG-AAI – Hands On WorkshopClarin Centers Prague 2009
2009-11-06
mpgaai
2
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
About Shibboleth Identity Provider
• Identity Provider Architecture & Components
• Installation – Integration to Apache & Tomcat
– IdP Web Application
– Initial Setup
• Authentication Configurations
• Join Federations
• Using Attributes– Attribute Resolver
– Attribute Filter
mpgaai
3
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
IdP - Architecture & Components
• SSO-Service – checks session & login status
and in case
– redirects to configured Login Handler
– Login Handler authenticates user using Identity Management in place at the hosting/home site
• Attribute-Authority – resolves attributes
– filters retrieved attribute according to Release Policy (ARP)
– posts SAML assertions with authentication- & attribute-statement to requesting Service Provider © switch.ch
mpgaai
4
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
Installation HowTos 4 Shibboleth-IdP
• Internet2https://spaces.internet2.edu/display/SHIB2/Installationhttps://spaces.internet2.edu/display/SHIB2/IdPInstallhttp://shibboleth.internet2.edu/documentation.html
• SWITCHhttps://www.switch.ch/aai/support/identityprovidershttp://www.switch.ch/aai/support/howto/
• DFN (de)https://www.aai.dfn.de/dokumentation/identity-provider/
• LRZhttp://www.lrz-muenchen.de/~hommel/ shibboleth/idp20_unter_sles10sp1.html
mpgaai
5
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
Installation Layout
ShibbolethIdentity Provider
webapp
Apache httpd
certificate(public/private keys)
java
openSSL
relying-party.xml
mod_ssl
ref.
httpd.conf ref.
metadata.xml copy
Tomcat
server.xml
idp.xml
AJP
AuthN Attriubtes
IDM
mpgaai
6
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
Apache Webserver Configuration
Listen 443<VirtualHost _default_:443> ServerName https://idp.mydomain.de UseCanonicalName On
SSLEngine on SSLCipherSuite ALL SSLVerifyDepth 10 SSLOptions +StdEnvVars +ExportCertData
SSLCertificateFile /opt/mpgaai/httpd/conf/ssl.crt/idp.crt SSLCertificateKeyFile /opt/mpgaai/httpd/conf/ssl.key/idp.key SSLCACertificatePath /etc/ssl/certs
ProxyPass /idp/ ajp://localhost:8009/idp/ <Location /idp> Order Deny,Allow Allow from all </Location>
</VirtualHost>
• httpd-vhost.conf
mpgaai
7
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
Apache - ssl “proxy” through firewall
...Listen 443<VirtualHost _default_:443> SSLEngine on #... # sample virtual ssl proxy configuration SSLProxyEngine on RewriteEngine On RewriteOptions Inherit RewriteRule ^/idp/(.*) https://internalserver:443/idp/$1 [P] SetEnv force-proxy-request-1.0 1 SetEnv proxy-nokeepalive 1 ...
DMZ
httpdhttpd
Service ProviderWWW
mpgaai
8
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
Tomcat Servlet Container Configuration
Listen 443<VirtualHost _default_:443> ServerName https://idp.mydomain.de UseCanonicalName On
SSLEngine on SSLCipherSuite ALL SSLVerifyDepth 10 SSLOptions +StdEnvVars +ExportCertData
SSLCertificateFile /opt/mpgaai/httpd/conf/ssl.crt/idp.crt SSLCertificateKeyFile /opt/mpgaai/httpd/conf/ssl.key/idp.key SSLCACertificatePath /etc/ssl/certs
ProxyPass /idp/ ajp://localhost:8009/idp/ <Location /idp> Order Deny,Allow Allow from all </Location>
</VirtualHost>
• server.xml${CATALINA_HOME}/server.xml
idp.xml${CATALINA_HOME}/conf/Catalina/localhost/idp.xml
# enable AJP connector <Connector port="8009" request.tomcatAuthentication="false" address="127.0.0.1" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
<?xml version="1.0" encoding="UTF-8"?>
<Context docBase="/opt/mpgaai/shibboleth-idp2/war/idp" privileged="true" antiResourceLocking="false" antiJARLocking="false" unpackWAR="true"/>
path to web application dir
mpgaai
9
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
Shibboleth SP – Main Config Files
• relying-party.xml– core configuration of Shibboleth Identity Provider
• attribute-resolver.xml– definition of applicable attributes
– connectors to actual data sourceslike LDAP, Database
• attribute-filter.xml– filtering of published attributes: checks for attribute names and values
– allows fine grained control which attribute are released for different Service Providers
• metadata– describes the federation: participating entities, communication endpoints
• login.config (jaas.conf)– configuration of Java Authentication & Authorization Service
mpgaai
10
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
Initial Setup
• relying-party.xml– relying party, entity-ID:
AnonymousRelyingParty.provider, DefaultRelyingParty.provider
– CredentialsX.509 Certificate - Public/Private-Key
– Metadata Provider
• handler.xml – Login Handler
Remote User, Username-Password...
• idp-metadata.xml – entity-ID
– certificates
• Status Test https://idp.example.org/idp/profile/Status
mpgaai
11
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
Connecting to Identity Managment
• the IdP can plug on to existing Identity Management System (IDM)– Connectors to directory services (LDAP, AD), databases
– optional custom connectors
• separate connectors for authentication or attribute resolving possible
• two integration models for authentication– external (“old” Shibboleth 1.x style)
using apache webserver or tomcat-realm
– internal (Shibboleth-2.x, recommended) (http) form-based, using JAAS
• handler.xml – Login Handler
<!-- Username/password login handler --><LoginHandler xsi:type="UsernamePassword" jaasConfigurationLocation="file:///etc/aai/login.config"> <AuthenticationMethod> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </AuthenticationMethod> </LoginHandler>
mpgaai
12
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
Authentication – IdP & JAAS
• login.config / jaas.conf
more about jaas: http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/
/* sample LDAP authN config */ ShibUserPassAuth { edu.vt.middleware.ldap.jaas.LdapLoginModule sufficient host=“ldap.example.org" port="636" base=“dc=example,dc=org" ssl="true" userField="uid" subtreeSearch="true" ;};
// alternative Kerberos configShibUserPassAuth { com.sun.security.auth.module.Krb5LoginModule sufficient java.security.krb5.realm="IPP-GARCHING.MPG.DE" refreshKrb5Config=true ; };
mpgaai
13
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
Join a Federation...
• Federations and trust between participants are enforced via metadata
• those metadata define the participating entitiesand their communication endpoints (SAML Profiles, “Service URLs “)
• any enitity (IdP or SP) can join multiple federations
• to join federations – get your IdP metadata right:
• see ${IDP-HOME}/metadata/idp-metadata.xml
• check your entity-ID and certificate (compare to your settings in relying-party.xml)
– and publish them to the federation (its participants): there is no auto-process, you have to do that “manually”
– import the federation metadata to your IdP https://spaces.internet2.edu/display/SHIB2/IdPMetadataProvider relying-party.xml – MetadataProvider (→ next slide)
mpgaai
14
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
… Join a Federation
<MetadataProvider xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"id="ShibbolethMetadata" >
<MetadataProvider id="MPGAAI"xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"metadataURL="https://services.aai.mpg.de/metadata/mpgaai-metadata.xml"backingFile="/opt/mpgaai/shibboleth-idp2/metadata/mpgaai-metadata.xml">
</MetadataProvider>
<MetadataProvider id="DEISA2" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" metadataURL="http://deisa2.grid.sara.nl/federation-metadata.xml"backingFile="/opt/mpgaai/shibboleth-idp2/metadata/deisa2-metadata.xml">
</MetadataProvider>
<MetadataProvider id="InternalMetadata" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"metadataFile="/opt/mpgaai/metadata/oiosaml-metadata.xml" />
</MetadataProvider>
“chaining-provider”: allows multiple provider
auto-download federation MD
from central location
static (filesystem) metadata file
2nd federation
mpgaai
15
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
Attributes Handling
• IdPs provide SAML authentication- & attributes-Assertion
• fine grained control which attributes are released to whom
• Attributes based on standard object classes, e.g. eduPerson, inetOrgPerson...
• Attribute Management split in two steps:– Attribute Resolver
• fetches attribute data from external sources, like LDAP, databases
• attributes are converted & mapped to URNs
• multiple data sources and complex formatting possible
– Attribute Filter
• filtering based on rules with flexible matching conditions
• allows fine grained, complex filter scenarios
mpgaai
16
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
Attribute Resolver – Attribute Definition
• attribute-resolver.xml
– several dependencies possible (e.g. as failover)
<resolver:AttributeDefinition id="epTargetedID" xsi:type="SAML2NameID" xmlns="urn:mace:shibboleth:2.0:resolver:ad"nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
sourceAttributeID="persistentID">
<resolver:Dependency ref="userDB" />
<resolver:AttributeEncoder xsi:type="SAML1XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"name="urn:mace:dir:attribute-def:eduPersonTargetedID" />
<resolver:AttributeEncoder xsi:type="SAML2XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
</resolver:AttributeDefinition>
attribute identifier
reference to data source attribute
reference to data connector
encoder to SAML 1URN based naming
encoder to SAML 2URN based namingusing standard OIDs
attribute typesSaml2NameID,Simple, Scoped
mpgaai
17
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
Attribute Resolver – Data Connectors...
• attribute-resolver.xml
# enable AJP connector <Connector port="8009" request.tomcatAuthentication="false" address="127.0.0.1" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
<?xml version="1.0" encoding="UTF-8"?>
<Context docBase="/opt/mpgaai/shibboleth-idp2/war/idp" privileged="true" antiResourceLocking="false" antiJARLocking="false" unpackWAR="true"/>
<!-- sample LDAP connector --><resolver:DataConnector id="myLDAP" xsi:type="LDAPDirector" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldapURL="ldaps://ldap.gwdg.de" baseDN="O=GOESTERN" principal="cn=roadmin,o=GWD" principalCredential="secret"> <FilterTemplate> <![CDATA[ (uid=$requestContext.principalName) ]]> </FilterTemplate></resolver:DataConnector>
<!-- sample STATIC connector --><resolver:DataConnector id="myStaticData" xsi:type="Static" xmlns="urn:mace:shibboleth:2.0:resolver:dc"> <Attribute id="epOrgDN"> <Value>O=Max Planck Society,DC=mpg,DC=de</Value> </Attribute>></resolver:DataConnector>
mpgaai
18
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
...Attribute Resolver – Data Connectors
• attribute-resolver.xml
multiple dataconnectors to different datasources possible
<!-- sample LDAP connector --><resolver:DataConnector id="myLDAP" xsi:type="LDAPDirector" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldapURL="ldaps://ldap.gwdg.de" baseDN="O=GOESTERN" principal="cn=roadmin,o=GWD" principalCredential="secret"> <FilterTemplate> <![CDATA[ (uid=$requestContext.principalName) ]]> </FilterTemplate></resolver:DataConnector>
<!-- sample STATIC connector --><resolver:DataConnector id="myStaticData" xsi:type="Static" xmlns="urn:mace:shibboleth:2.0:resolver:dc"> <Attribute id="epOrgDN"> <Value>O=Max Planck Society,DC=mpg,DC=de</Value> </Attribute>></resolver:DataConnector>
<!-- sample DATABASE connector --><resolver:DataConnector id="userDB"
xsi:type="RelationalDatabase"xmlns="urn:mace:shibboleth:2.0:resolver:dc"><ApplicationManagedConnection
jdbcDriver="com.mysql.jdbc.Driver"jdbcURL="jdbc:mysql://userdb.example.org/userdb" jdbcUserName="userdb" jdbcPassword="secret" />
<QueryTemplate><![CDATA[
SELECT * FROM student WHERE uid = $requestContext.principalName
]]></QueryTemplate><Column columnName="username" attributeID="uid" /><Column columnName="name" attributeID="sn" /><Column columnName="email" attributeID="email" />
</resolver:DataConnector>
mapping colunm to attribute
resolving data -query by username
mpgaai
19
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
TargetedID & StoredId-Connector
• attribute-resolver.xml(generated) targetedID differs for each Service Provider
<!-- StoredID (persistentID) Connector --><resolver:DataConnector id="myStoredId"
xsi:type="StoredId" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
generatedAttributeID="persistentID"
sourceAttributeID="username"
salt="DGFJhijfgDzY3JsMIHWBggr" >
<resolver:Dependency ref="userDB" />
<ApplicationManagedConnection jdbcDriver="com.mysql.jdbc.Driver"jdbcURL="jdbc:mysql://localhost:3306/idp?autoReconnect=true"jdbcUserName="idp" jdbcPassword="secret" />
</resolver:DataConnector>
destined attribute ID
source attribute of original username
salt for encryption
data connector to username source
database (conn.)where IdP remembersmultiple generated
targetedIDs for each user
mpgaai
20
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
Using Attributes - Policy/Filter
• attribute-filter.xmlfilters attributes due to configured publishing rules
– AttributeFilterPolicy defines several policies according to your requirementshttps://spaces.internet2.edu/display/SHIB2/AFPAttributeFilterPolicy
– PolicyRequirementRulespecifies when an AttributeFilterPolicy applieshttps://spaces.internet2.edu/display/SHIB2/AFPPolicyRequirementRule
– AttributeRulespecifies the rules for each attributehttps://spaces.internet2.edu/display/SHIB2/AFPAttributeRule
– PermitValueRuledefines which values of (which) attributes are acceptedhttps://spaces.internet2.edu/display/SHIB2/AFPPermitValueRule
mpgaai
21
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
Attribute Filter – trivial sample
• attribute-filter.xmlallows fine grained filtering due to conditioning rules
<!-- release to anyone --><AttributeFilterPolicy id="releaseToAnyone">
<PolicyRequirementRule xsi:type="basic:ANY" />
<AttributeRule attributeID="organizationName"><PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- rules for MPG-AAI federation --><AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="urn:mace:shibboleth:mpgaai" />
<AttributeRule attributeID="epTargetedID" ><PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
filter policy enforced in any case
allow/release any value
filter policy applies for all SPs in the
mpg-aai federation
mpgaai
22
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
Attribute Filter - advanced
• attriubte-filter.xml
<!-- shared rule for affiliation values --><afp:PermitValueRule id="epAffiliationValues" xsi:type="basic:OR">
<Rule xsi:type="AttributeValueString" value="faculty"/><Rule xsi:type="AttributeValueString" value="student"/><Rule xsi:type="AttributeValueString" value="staff"/>
</afp:PermitValueRule>
<!-- rules for multiple federation --><AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:OR"><basic:Rule xsi:type="saml:AttributeRequesterString"
value="sp2_rzg_mpg_de" /> <basic:Rule xsi:type="saml:AttributeRequesterString"
value="sp_fkf_mpg_de" /></PolicyRequirementRule>
<AttributeRule attributeID="epScopedAffiliation" ><RuleReference ref="epAffiliationValues"/>
</AttributeRule>
</AttributeFilterPolicy>
specifies fix setof allowed values
filter policy appliesfor all named
Service Provider
values must match all referenced allowed values
mpgaai
23
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
Outlook
• Shibboleth IdP 2.2
– Single Logout functionality (SAML-conform SLO, partly already implemented)
– ECP profile of SAML 2.0 (Enhanced Client or Proxy / Delegation e.g. SOAP, …)
– X.509 and other authentication mechanisms
• native support for privacy enhancements like uApprove
• dynamic generation of metadata at the IdP (as available for the SP)
• integration of user-centric Identity Management (CardSpace, OpenID)?
• maybe support for desktop applications? e.g. using ECP?
mpgaai
24
2009·11·06
MPG-AAI - Hands On – Shibboleth IdP
Thanks & Discussion
Questions, Discussion...
- Thank You for Your Attention -