Shibboleth IdP Training

11 June 2015 Zurich

Handouts

Table of Contents Slide Set Topic Page 1  Shibboleth IdP Version 3 Upgrade 1 2  Test of the VM Images 4 3  Configuration Pattern 10 4  User Authentication 15 5  Login Form Customization 23 6  Attribute Resolution 34 7  Persistent IDs 42 8  User Consent 46 9  Upgrades within Version 3 59 10  Updating the Home Organisation Description 62 11  Clustering IdPs 69 12  Resource Registry 78 13  - Interfederation via eduGAIN 79 14  - Entity Categories 83 15  - Attribute Release Configuration 88 16  Overview of Log Files 90 17  Reloading the Configuration 95 18  New Challenges with Interfederation SPs 99

Separate handouts for   Essential Linux commands   Tips and Tricks for Hands-On Session   Test Users on your Identity Provider   Important Directories

Shibboleth IdP Version 3 Upgrade General observations

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull IdP version 200 released in March 2008ndash followed by 4 minor releases and 18 patch releases (current is 244)

bull IdP version 3 the first major release after ~7 yearsndash 300 December 2014 only very sparse documentation in the Wikindash 310311 March 2015 now being deployed for production use

documentation considerably improved in Q1Q2 2015

bull a good opportunity to start with a fresh environmentndash requires Java 7 or later and Servlet API 30 supportndash best run on an platform with an expected lifetime of 5+ years

bull do not consider an in-place upgrade of your IdP v2deploymentndash even if the Shibboleth installer claims supporting this to some extent

IdP V3 a new milestone

2

Page 1

copy 2015 SWITCH

bull  rely on an OS with long-term support (5+ years) bull use the same Linux distribution one from the same family

which your organization is already using for other services bull  the SWITCH deployment guide has been rewritten to cover

bull  Ubuntu Server 1404 LTS released in April 2014 supported through April 2019

bull  Red Hat Enterprise Linux 7 CentOS 7 released in June 2014 supported through June 2024

bull Debian is no longer covered in the SWITCH guide bull  very similar to Ubuntu though (in case you have strong feelings about

staying with Debian)

Operating system recommendations

3

copy 2015 SWITCH

bull  rely on the operating systemrsquos default Java version ndash for both Ubuntu 1404 and RHEL 7 this is OpenJDK 7 ndash Java 8 has potential pitfalls with scripted attributes (RhinoNashorn

engine incompatibilities) so better stay with Java 7 for the time being

bull use a Java Servlet container which is provided in the form of a package supported by the OS vendor ndash Tomcat 7 is the primary container for both supported OSes ndash you donrsquot have to bother about manually applying security patches

for the Servlet container

bull  run Apache httpd in front of the Servlet container ndash flexible configuration of the TLS endpoints for the IdP ndash mod_proxy_ajp has proven robust with the IdP v2 in the past

Java and Webapp environment

4

Page 2

copy 2015 SWITCH

bull  the IdP requires a relational database for storing persistent identifiers and user consent data

bull  for a single-instance IdP install an SQL database which is packaged by the OS vendor

bull  starting with the IdP v3 deployment guide and when installed on the same system as the IdP SWITCH is favoring PostgreSQL ndash PostgreSQL has a long track record of close SQL standards compliance ndash MariaDB 55 (community-developed source fork of MySQL) would also

be available as a vendor-supplied package but for Ubuntu only in the ldquouniverserdquo component ndash ie without official support for security updates

bull  your favorite RDBMS can be used as well of course ndash a JDBC connector is almost all it takes ndash in particular for clusters other RDBMSes might be better fits

Persistent ID and user consent storage

5

copy 2015 SWITCH

bull etchosts is your friend bull Set up the IdP v3 on a completely new system bull  retain the existing entity ID SAML endpoints and the

SAML certificate bull with SAML 2 most IdP traffic is now front channel

ndash straightforward testing possible by simple edits of your hosts file 192023 aai-loginexampleorg

bull  for back-channel testing a temporary change to an SPrsquos hosts file can be an option

Testing strategy

6

Page 3

Test of the VM Images Boot VM image and test network connectivity

SWITCHaai Team aaiswitchch

copy 2015 SWITCH 2

General Information

 Course material is adapted for use in SWITCHaai

 Course material will be published online  Check httpswwwswitchchaaidocstraining

 If you see this on a slide hands-on work is required

Page 4

copy 2015 SWITCH 3

Boot up the image 1  Open SWITCH-Shibboleth-Trainingvbox in Virtual Box

2  Start the virtual machine (VM)

3  After login Firefox will open automatically Ensure that it displays this page If you dont see this message contact an assistant

copy 2015 SWITCH 4

VM Operating System Environment

  Ubuntu 14042 LTS Virtual BoxVMWare VDK image   User idp-admin Password password (in sudoers list)

  Apache 2 on ports 80 (http) and 443 (https)

  Self-signed SSL web server certificate

  Shibboleth Identity Provider 3 is installed and configured according to SWITCHaai Deployment guide   Network connectivity needed to ldap-test[1|2]aaiswitchch

  Relevant Hostname   Same name for all participants   aai-loginexampleorg

Page 5

copy 2015 SWITCH 5

Test AAI Login with Demo Service Provider

1  In Firefox open aai-demoswitchch (or click on bookmark) 2  Click on Any authenticated user 3  Select the Example Organisation 4  Log in using a test user (eg student1 password1)

copy 2015 SWITCH 6

Essential Commands for Linux DOS Command Linux Command dir ls -l

cd ltdirectorygt cd ltdirectorygt

mkdir or md ltdirectorygt mkdir ltdirectorygt

rmdir or rd ltdirectorygt rmdir ltdirectorygt

chdir pwd

del or erase ltfilegt rm ltfilegt

copy and xcopy ltfilegt cp and cp ndashR ltfilegt find or findstr ltfilegt grep ltstringgt ltfilegt

comp ltfile1gt ltfile2gt diff ltfile1gt ltfile2gt

edit ltfilegt nano or vim or emacs ltfilegt ping lthostgt ping lthostgt

reboot reboot

Page 6

copy 2015 SWITCH

File Editing Commands for Terminal Editor

Editor nano vim

Open file $ nano ltfilegt $ vim ltfilegt

Save file ltctrlgt-o ltescgt w

Save and exit

ltctrlgt-x ltescgt wq

Search string

ltctrlgt-w string ltescgt string

Go to line number

ltctrlgt-- number ltescgt number ltshiftgt-G

gedit is the recommended text editor Is started as root user Its icon is in the launch bar on the left side of the desktop

copy 2015 SWITCH 8

Tips and Tricks for Hands-On Session

 The user and root password for the VM is password

 Lines starting with $ are commands to be executed

 Command should be executed as root user  Happens automatically if Terminal is opened or if text editor is used

 Character is line break symbol which allows to break a line when typed

 Watch out for invalid XMLconfiguration errors  Consult Debugging handout for hints to resolve problems

Page 7

copy 2015 SWITCH 9

More Tips and Tricks for Hands-On Session

 Restart the Tomcat daemon after changes  Unless otherwise mentioned

 Delete session cookies after changes (or restart browser)  Should not be necessary but is safer for testing

 SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog

 On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg

copy 2015 SWITCH 10

Test Users on your Identity Provider

 Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username student2 Password password2

UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms

Page 8

copy 2015 SWITCH

Important directories

  optshibboleth-idp

  Identity Provider Installation directory

  optshibboleth-idpconf

  Configuration files   optshibboleth-idplogs

  Log files like idp-processlog

  optshibboleth-idpcredentials   X509 certificates and private keys

  optshibboleth-idpedit-webapp   Changes for web application that survive upgrades

11

Page 9

SWITCHaai Team aaiswitchch

Configuration Pattern

Get used to Spring Beans and Properties

copy 2015 SWITCH

Whats that

2

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt

Page 10

copy 2015 SWITCH

Configuration Pattern of IdPv3

bull  The IdPv3 configuration builds upon the Spring Framework bull  Configuration is located in XML files bull  There are a lot of wired beans

bull  The whole configuration follows the same pattern bull  With some few exceptions

bull  Wonderfully flexible way to configure components but quite complicated for deployers

3

copy 2015 SWITCH

Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)

4

Page 11

copy 2015 SWITCH

Understanding Beans and Properties

bull The whole configuration of the IdP is specified by alot of beans

bull For convenience the essential configuration can bespecified by properties stored in properties files

bull Still from time to time you will need to directly modifybeans or create new ones

bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts

5

copy 2015 SWITCH

Examples of Properties

Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties

LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull Each line consists of a pair of a key and a valuebull Comment lines start with an character

6

Page 12

copy 2015 SWITCH

Examples of Beans

bull  Each bean has some name (id) bull  Each bean has some type (class) bull  Attributes (parameters) specify the beans configuration bull  Beans can refer to other beans (wiring)

7

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

Configuration file optshibboleth-idpconfauthnldap-authn-configxml

copy 2015 SWITCH

Examples of Beans bull  There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8

Page 13

copy 2015 SWITCH

References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull  Configuration

httpswikishibbolethnetconfluencedisplayIDP30Configuration bull  Spring Configuration

httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration

9

Page 14

SWITCHaai Team aaiswitchch

User Authentication How to do it the v3 way

IdP

copy 2015 SWITCH

From Login Handlers to Login Flows bull  v2 uses Login Handlers

bull  Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)

bull  Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))

bull  v3 uses Login Flows (also called Authentication Flows) bull  Typicaldefault setup Password login flow

bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)

bull  Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development

2

Page 15

copy 2015 SWITCH

Login Flows

3

Shibboleth IdP

RemoteUser Authentication Flow

SAML Request

SAML Response

Authentication Engine Selects suitable flow and executes it

X509 Authentication Flow

Password Authentication Flow

copy 2015 SWITCH

Login Flows bull  One or several flows can be activated bull  The authentication engine of the IdP selects a suitable flow

depending on several criteria bull  Does the SP request a specific authentication context type bull  Does the SP request forced authentication bull  Does the SP request passive authentication

bull  In practice most deployments will use the Password login flow as the only one

bull  ECP is supported out-of-the-box by the Password login flow No special configuration is required bull  But Client must support ECP appropriately

4

Page 16

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

Table of Contents Slide Set Topic Page 1  Shibboleth IdP Version 3 Upgrade 1 2  Test of the VM Images 4 3  Configuration Pattern 10 4  User Authentication 15 5  Login Form Customization 23 6  Attribute Resolution 34 7  Persistent IDs 42 8  User Consent 46 9  Upgrades within Version 3 59 10  Updating the Home Organisation Description 62 11  Clustering IdPs 69 12  Resource Registry 78 13  - Interfederation via eduGAIN 79 14  - Entity Categories 83 15  - Attribute Release Configuration 88 16  Overview of Log Files 90 17  Reloading the Configuration 95 18  New Challenges with Interfederation SPs 99

Separate handouts for   Essential Linux commands   Tips and Tricks for Hands-On Session   Test Users on your Identity Provider   Important Directories

Shibboleth IdP Version 3 Upgrade General observations

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull IdP version 200 released in March 2008ndash followed by 4 minor releases and 18 patch releases (current is 244)

bull IdP version 3 the first major release after ~7 yearsndash 300 December 2014 only very sparse documentation in the Wikindash 310311 March 2015 now being deployed for production use

documentation considerably improved in Q1Q2 2015

bull a good opportunity to start with a fresh environmentndash requires Java 7 or later and Servlet API 30 supportndash best run on an platform with an expected lifetime of 5+ years

bull do not consider an in-place upgrade of your IdP v2deploymentndash even if the Shibboleth installer claims supporting this to some extent

IdP V3 a new milestone

2

Page 1

copy 2015 SWITCH

bull  rely on an OS with long-term support (5+ years) bull use the same Linux distribution one from the same family

which your organization is already using for other services bull  the SWITCH deployment guide has been rewritten to cover

bull  Ubuntu Server 1404 LTS released in April 2014 supported through April 2019

bull  Red Hat Enterprise Linux 7 CentOS 7 released in June 2014 supported through June 2024

bull Debian is no longer covered in the SWITCH guide bull  very similar to Ubuntu though (in case you have strong feelings about

staying with Debian)

Operating system recommendations

3

copy 2015 SWITCH

bull  rely on the operating systemrsquos default Java version ndash for both Ubuntu 1404 and RHEL 7 this is OpenJDK 7 ndash Java 8 has potential pitfalls with scripted attributes (RhinoNashorn

engine incompatibilities) so better stay with Java 7 for the time being

bull use a Java Servlet container which is provided in the form of a package supported by the OS vendor ndash Tomcat 7 is the primary container for both supported OSes ndash you donrsquot have to bother about manually applying security patches

for the Servlet container

bull  run Apache httpd in front of the Servlet container ndash flexible configuration of the TLS endpoints for the IdP ndash mod_proxy_ajp has proven robust with the IdP v2 in the past

Java and Webapp environment

4

Page 2

copy 2015 SWITCH

bull  the IdP requires a relational database for storing persistent identifiers and user consent data

bull  for a single-instance IdP install an SQL database which is packaged by the OS vendor

bull  starting with the IdP v3 deployment guide and when installed on the same system as the IdP SWITCH is favoring PostgreSQL ndash PostgreSQL has a long track record of close SQL standards compliance ndash MariaDB 55 (community-developed source fork of MySQL) would also

be available as a vendor-supplied package but for Ubuntu only in the ldquouniverserdquo component ndash ie without official support for security updates

bull  your favorite RDBMS can be used as well of course ndash a JDBC connector is almost all it takes ndash in particular for clusters other RDBMSes might be better fits

Persistent ID and user consent storage

5

copy 2015 SWITCH

bull etchosts is your friend bull Set up the IdP v3 on a completely new system bull  retain the existing entity ID SAML endpoints and the

SAML certificate bull with SAML 2 most IdP traffic is now front channel

ndash straightforward testing possible by simple edits of your hosts file 192023 aai-loginexampleorg

bull  for back-channel testing a temporary change to an SPrsquos hosts file can be an option

Testing strategy

6

Page 3

Test of the VM Images Boot VM image and test network connectivity

SWITCHaai Team aaiswitchch

copy 2015 SWITCH 2

General Information

 Course material is adapted for use in SWITCHaai

 Course material will be published online  Check httpswwwswitchchaaidocstraining

 If you see this on a slide hands-on work is required

Page 4

copy 2015 SWITCH 3

Boot up the image 1  Open SWITCH-Shibboleth-Trainingvbox in Virtual Box

2  Start the virtual machine (VM)

3  After login Firefox will open automatically Ensure that it displays this page If you dont see this message contact an assistant

copy 2015 SWITCH 4

VM Operating System Environment

  Ubuntu 14042 LTS Virtual BoxVMWare VDK image   User idp-admin Password password (in sudoers list)

  Apache 2 on ports 80 (http) and 443 (https)

  Self-signed SSL web server certificate

  Shibboleth Identity Provider 3 is installed and configured according to SWITCHaai Deployment guide   Network connectivity needed to ldap-test[1|2]aaiswitchch

  Relevant Hostname   Same name for all participants   aai-loginexampleorg

Page 5

copy 2015 SWITCH 5

Test AAI Login with Demo Service Provider

1  In Firefox open aai-demoswitchch (or click on bookmark) 2  Click on Any authenticated user 3  Select the Example Organisation 4  Log in using a test user (eg student1 password1)

copy 2015 SWITCH 6

Essential Commands for Linux DOS Command Linux Command dir ls -l

cd ltdirectorygt cd ltdirectorygt

mkdir or md ltdirectorygt mkdir ltdirectorygt

rmdir or rd ltdirectorygt rmdir ltdirectorygt

chdir pwd

del or erase ltfilegt rm ltfilegt

copy and xcopy ltfilegt cp and cp ndashR ltfilegt find or findstr ltfilegt grep ltstringgt ltfilegt

comp ltfile1gt ltfile2gt diff ltfile1gt ltfile2gt

edit ltfilegt nano or vim or emacs ltfilegt ping lthostgt ping lthostgt

reboot reboot

Page 6

copy 2015 SWITCH

File Editing Commands for Terminal Editor

Editor nano vim

Open file $ nano ltfilegt $ vim ltfilegt

Save file ltctrlgt-o ltescgt w

Save and exit

ltctrlgt-x ltescgt wq

Search string

ltctrlgt-w string ltescgt string

Go to line number

ltctrlgt-- number ltescgt number ltshiftgt-G

gedit is the recommended text editor Is started as root user Its icon is in the launch bar on the left side of the desktop

copy 2015 SWITCH 8

Tips and Tricks for Hands-On Session

 The user and root password for the VM is password

 Lines starting with $ are commands to be executed

 Command should be executed as root user  Happens automatically if Terminal is opened or if text editor is used

 Character is line break symbol which allows to break a line when typed

 Watch out for invalid XMLconfiguration errors  Consult Debugging handout for hints to resolve problems

Page 7

copy 2015 SWITCH 9

More Tips and Tricks for Hands-On Session

 Restart the Tomcat daemon after changes  Unless otherwise mentioned

 Delete session cookies after changes (or restart browser)  Should not be necessary but is safer for testing

 SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog

 On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg

copy 2015 SWITCH 10

Test Users on your Identity Provider

 Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username student2 Password password2

UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms

Page 8

copy 2015 SWITCH

Important directories

  optshibboleth-idp

  Identity Provider Installation directory

  optshibboleth-idpconf

  Configuration files   optshibboleth-idplogs

  Log files like idp-processlog

  optshibboleth-idpcredentials   X509 certificates and private keys

  optshibboleth-idpedit-webapp   Changes for web application that survive upgrades

11

Page 9

SWITCHaai Team aaiswitchch

Configuration Pattern

Get used to Spring Beans and Properties

copy 2015 SWITCH

Whats that

2

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt

Page 10

copy 2015 SWITCH

Configuration Pattern of IdPv3

bull  The IdPv3 configuration builds upon the Spring Framework bull  Configuration is located in XML files bull  There are a lot of wired beans

bull  The whole configuration follows the same pattern bull  With some few exceptions

bull  Wonderfully flexible way to configure components but quite complicated for deployers

3

copy 2015 SWITCH

Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)

4

Page 11

copy 2015 SWITCH

Understanding Beans and Properties

bull The whole configuration of the IdP is specified by alot of beans

bull For convenience the essential configuration can bespecified by properties stored in properties files

bull Still from time to time you will need to directly modifybeans or create new ones

bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts

5

copy 2015 SWITCH

Examples of Properties

Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties

LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull Each line consists of a pair of a key and a valuebull Comment lines start with an character

6

Page 12

copy 2015 SWITCH

Examples of Beans

bull  Each bean has some name (id) bull  Each bean has some type (class) bull  Attributes (parameters) specify the beans configuration bull  Beans can refer to other beans (wiring)

7

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

Configuration file optshibboleth-idpconfauthnldap-authn-configxml

copy 2015 SWITCH

Examples of Beans bull  There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8

Page 13

copy 2015 SWITCH

References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull  Configuration

httpswikishibbolethnetconfluencedisplayIDP30Configuration bull  Spring Configuration

httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration

9

Page 14

SWITCHaai Team aaiswitchch

User Authentication How to do it the v3 way

IdP

copy 2015 SWITCH

From Login Handlers to Login Flows bull  v2 uses Login Handlers

bull  Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)

bull  Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))

bull  v3 uses Login Flows (also called Authentication Flows) bull  Typicaldefault setup Password login flow

bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)

bull  Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development

2

Page 15

copy 2015 SWITCH

Login Flows

3

Shibboleth IdP

RemoteUser Authentication Flow

SAML Request

SAML Response

Authentication Engine Selects suitable flow and executes it

X509 Authentication Flow

Password Authentication Flow

copy 2015 SWITCH

Login Flows bull  One or several flows can be activated bull  The authentication engine of the IdP selects a suitable flow

depending on several criteria bull  Does the SP request a specific authentication context type bull  Does the SP request forced authentication bull  Does the SP request passive authentication

bull  In practice most deployments will use the Password login flow as the only one

bull  ECP is supported out-of-the-box by the Password login flow No special configuration is required bull  But Client must support ECP appropriately

4

Page 16

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

Shibboleth IdP Version 3 Upgrade General observations

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull IdP version 200 released in March 2008ndash followed by 4 minor releases and 18 patch releases (current is 244)

bull IdP version 3 the first major release after ~7 yearsndash 300 December 2014 only very sparse documentation in the Wikindash 310311 March 2015 now being deployed for production use

documentation considerably improved in Q1Q2 2015

bull a good opportunity to start with a fresh environmentndash requires Java 7 or later and Servlet API 30 supportndash best run on an platform with an expected lifetime of 5+ years

bull do not consider an in-place upgrade of your IdP v2deploymentndash even if the Shibboleth installer claims supporting this to some extent

IdP V3 a new milestone

2

Page 1

copy 2015 SWITCH

bull  rely on an OS with long-term support (5+ years) bull use the same Linux distribution one from the same family

which your organization is already using for other services bull  the SWITCH deployment guide has been rewritten to cover

bull  Ubuntu Server 1404 LTS released in April 2014 supported through April 2019

bull  Red Hat Enterprise Linux 7 CentOS 7 released in June 2014 supported through June 2024

bull Debian is no longer covered in the SWITCH guide bull  very similar to Ubuntu though (in case you have strong feelings about

staying with Debian)

Operating system recommendations

3

copy 2015 SWITCH

bull  rely on the operating systemrsquos default Java version ndash for both Ubuntu 1404 and RHEL 7 this is OpenJDK 7 ndash Java 8 has potential pitfalls with scripted attributes (RhinoNashorn

engine incompatibilities) so better stay with Java 7 for the time being

bull use a Java Servlet container which is provided in the form of a package supported by the OS vendor ndash Tomcat 7 is the primary container for both supported OSes ndash you donrsquot have to bother about manually applying security patches

for the Servlet container

bull  run Apache httpd in front of the Servlet container ndash flexible configuration of the TLS endpoints for the IdP ndash mod_proxy_ajp has proven robust with the IdP v2 in the past

Java and Webapp environment

4

Page 2

copy 2015 SWITCH

bull  the IdP requires a relational database for storing persistent identifiers and user consent data

bull  for a single-instance IdP install an SQL database which is packaged by the OS vendor

bull  starting with the IdP v3 deployment guide and when installed on the same system as the IdP SWITCH is favoring PostgreSQL ndash PostgreSQL has a long track record of close SQL standards compliance ndash MariaDB 55 (community-developed source fork of MySQL) would also

be available as a vendor-supplied package but for Ubuntu only in the ldquouniverserdquo component ndash ie without official support for security updates

bull  your favorite RDBMS can be used as well of course ndash a JDBC connector is almost all it takes ndash in particular for clusters other RDBMSes might be better fits

Persistent ID and user consent storage

5

copy 2015 SWITCH

bull etchosts is your friend bull Set up the IdP v3 on a completely new system bull  retain the existing entity ID SAML endpoints and the

SAML certificate bull with SAML 2 most IdP traffic is now front channel

ndash straightforward testing possible by simple edits of your hosts file 192023 aai-loginexampleorg

bull  for back-channel testing a temporary change to an SPrsquos hosts file can be an option

Testing strategy

6

Page 3

Test of the VM Images Boot VM image and test network connectivity

SWITCHaai Team aaiswitchch

copy 2015 SWITCH 2

General Information

 Course material is adapted for use in SWITCHaai

 Course material will be published online  Check httpswwwswitchchaaidocstraining

 If you see this on a slide hands-on work is required

Page 4

copy 2015 SWITCH 3

Boot up the image 1  Open SWITCH-Shibboleth-Trainingvbox in Virtual Box

2  Start the virtual machine (VM)

3  After login Firefox will open automatically Ensure that it displays this page If you dont see this message contact an assistant

copy 2015 SWITCH 4

VM Operating System Environment

  Ubuntu 14042 LTS Virtual BoxVMWare VDK image   User idp-admin Password password (in sudoers list)

  Apache 2 on ports 80 (http) and 443 (https)

  Self-signed SSL web server certificate

  Shibboleth Identity Provider 3 is installed and configured according to SWITCHaai Deployment guide   Network connectivity needed to ldap-test[1|2]aaiswitchch

  Relevant Hostname   Same name for all participants   aai-loginexampleorg

Page 5

copy 2015 SWITCH 5

Test AAI Login with Demo Service Provider

1  In Firefox open aai-demoswitchch (or click on bookmark) 2  Click on Any authenticated user 3  Select the Example Organisation 4  Log in using a test user (eg student1 password1)

copy 2015 SWITCH 6

Essential Commands for Linux DOS Command Linux Command dir ls -l

cd ltdirectorygt cd ltdirectorygt

mkdir or md ltdirectorygt mkdir ltdirectorygt

rmdir or rd ltdirectorygt rmdir ltdirectorygt

chdir pwd

del or erase ltfilegt rm ltfilegt

copy and xcopy ltfilegt cp and cp ndashR ltfilegt find or findstr ltfilegt grep ltstringgt ltfilegt

comp ltfile1gt ltfile2gt diff ltfile1gt ltfile2gt

edit ltfilegt nano or vim or emacs ltfilegt ping lthostgt ping lthostgt

reboot reboot

Page 6

copy 2015 SWITCH

File Editing Commands for Terminal Editor

Editor nano vim

Open file $ nano ltfilegt $ vim ltfilegt

Save file ltctrlgt-o ltescgt w

Save and exit

ltctrlgt-x ltescgt wq

Search string

ltctrlgt-w string ltescgt string

Go to line number

ltctrlgt-- number ltescgt number ltshiftgt-G

gedit is the recommended text editor Is started as root user Its icon is in the launch bar on the left side of the desktop

copy 2015 SWITCH 8

Tips and Tricks for Hands-On Session

 The user and root password for the VM is password

 Lines starting with $ are commands to be executed

 Command should be executed as root user  Happens automatically if Terminal is opened or if text editor is used

 Character is line break symbol which allows to break a line when typed

 Watch out for invalid XMLconfiguration errors  Consult Debugging handout for hints to resolve problems

Page 7

copy 2015 SWITCH 9

More Tips and Tricks for Hands-On Session

 Restart the Tomcat daemon after changes  Unless otherwise mentioned

 Delete session cookies after changes (or restart browser)  Should not be necessary but is safer for testing

 SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog

 On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg

copy 2015 SWITCH 10

Test Users on your Identity Provider

 Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username student2 Password password2

UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms

Page 8

copy 2015 SWITCH

Important directories

  optshibboleth-idp

  Identity Provider Installation directory

  optshibboleth-idpconf

  Configuration files   optshibboleth-idplogs

  Log files like idp-processlog

  optshibboleth-idpcredentials   X509 certificates and private keys

  optshibboleth-idpedit-webapp   Changes for web application that survive upgrades

11

Page 9

SWITCHaai Team aaiswitchch

Configuration Pattern

Get used to Spring Beans and Properties

copy 2015 SWITCH

Whats that

2

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt

Page 10

copy 2015 SWITCH

Configuration Pattern of IdPv3

bull  The IdPv3 configuration builds upon the Spring Framework bull  Configuration is located in XML files bull  There are a lot of wired beans

bull  The whole configuration follows the same pattern bull  With some few exceptions

bull  Wonderfully flexible way to configure components but quite complicated for deployers

3

copy 2015 SWITCH

Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)

4

Page 11

copy 2015 SWITCH

Understanding Beans and Properties

bull The whole configuration of the IdP is specified by alot of beans

bull For convenience the essential configuration can bespecified by properties stored in properties files

bull Still from time to time you will need to directly modifybeans or create new ones

bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts

5

copy 2015 SWITCH

Examples of Properties

Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties

LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull Each line consists of a pair of a key and a valuebull Comment lines start with an character

6

Page 12

copy 2015 SWITCH

Examples of Beans

bull  Each bean has some name (id) bull  Each bean has some type (class) bull  Attributes (parameters) specify the beans configuration bull  Beans can refer to other beans (wiring)

7

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

Configuration file optshibboleth-idpconfauthnldap-authn-configxml

copy 2015 SWITCH

Examples of Beans bull  There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8

Page 13

copy 2015 SWITCH

References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull  Configuration

httpswikishibbolethnetconfluencedisplayIDP30Configuration bull  Spring Configuration

httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration

9

Page 14

SWITCHaai Team aaiswitchch

User Authentication How to do it the v3 way

IdP

copy 2015 SWITCH

From Login Handlers to Login Flows bull  v2 uses Login Handlers

bull  Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)

bull  Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))

bull  v3 uses Login Flows (also called Authentication Flows) bull  Typicaldefault setup Password login flow

bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)

bull  Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development

2

Page 15

copy 2015 SWITCH

Login Flows

3

Shibboleth IdP

RemoteUser Authentication Flow

SAML Request

SAML Response

Authentication Engine Selects suitable flow and executes it

X509 Authentication Flow

Password Authentication Flow

copy 2015 SWITCH

Login Flows bull  One or several flows can be activated bull  The authentication engine of the IdP selects a suitable flow

depending on several criteria bull  Does the SP request a specific authentication context type bull  Does the SP request forced authentication bull  Does the SP request passive authentication

bull  In practice most deployments will use the Password login flow as the only one

bull  ECP is supported out-of-the-box by the Password login flow No special configuration is required bull  But Client must support ECP appropriately

4

Page 16

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy 2015 SWITCH

bull  rely on an OS with long-term support (5+ years) bull use the same Linux distribution one from the same family

which your organization is already using for other services bull  the SWITCH deployment guide has been rewritten to cover

bull  Ubuntu Server 1404 LTS released in April 2014 supported through April 2019

bull  Red Hat Enterprise Linux 7 CentOS 7 released in June 2014 supported through June 2024

bull Debian is no longer covered in the SWITCH guide bull  very similar to Ubuntu though (in case you have strong feelings about

staying with Debian)

Operating system recommendations

3

copy 2015 SWITCH

bull  rely on the operating systemrsquos default Java version ndash for both Ubuntu 1404 and RHEL 7 this is OpenJDK 7 ndash Java 8 has potential pitfalls with scripted attributes (RhinoNashorn

engine incompatibilities) so better stay with Java 7 for the time being

bull use a Java Servlet container which is provided in the form of a package supported by the OS vendor ndash Tomcat 7 is the primary container for both supported OSes ndash you donrsquot have to bother about manually applying security patches

for the Servlet container

bull  run Apache httpd in front of the Servlet container ndash flexible configuration of the TLS endpoints for the IdP ndash mod_proxy_ajp has proven robust with the IdP v2 in the past

Java and Webapp environment

4

Page 2

copy 2015 SWITCH

bull  the IdP requires a relational database for storing persistent identifiers and user consent data

bull  for a single-instance IdP install an SQL database which is packaged by the OS vendor

bull  starting with the IdP v3 deployment guide and when installed on the same system as the IdP SWITCH is favoring PostgreSQL ndash PostgreSQL has a long track record of close SQL standards compliance ndash MariaDB 55 (community-developed source fork of MySQL) would also

be available as a vendor-supplied package but for Ubuntu only in the ldquouniverserdquo component ndash ie without official support for security updates

bull  your favorite RDBMS can be used as well of course ndash a JDBC connector is almost all it takes ndash in particular for clusters other RDBMSes might be better fits

Persistent ID and user consent storage

5

copy 2015 SWITCH

bull etchosts is your friend bull Set up the IdP v3 on a completely new system bull  retain the existing entity ID SAML endpoints and the

SAML certificate bull with SAML 2 most IdP traffic is now front channel

ndash straightforward testing possible by simple edits of your hosts file 192023 aai-loginexampleorg

bull  for back-channel testing a temporary change to an SPrsquos hosts file can be an option

Testing strategy

6

Page 3

Test of the VM Images Boot VM image and test network connectivity

SWITCHaai Team aaiswitchch

copy 2015 SWITCH 2

General Information

 Course material is adapted for use in SWITCHaai

 Course material will be published online  Check httpswwwswitchchaaidocstraining

 If you see this on a slide hands-on work is required

Page 4

copy 2015 SWITCH 3

Boot up the image 1  Open SWITCH-Shibboleth-Trainingvbox in Virtual Box

2  Start the virtual machine (VM)

3  After login Firefox will open automatically Ensure that it displays this page If you dont see this message contact an assistant

copy 2015 SWITCH 4

VM Operating System Environment

  Ubuntu 14042 LTS Virtual BoxVMWare VDK image   User idp-admin Password password (in sudoers list)

  Apache 2 on ports 80 (http) and 443 (https)

  Self-signed SSL web server certificate

  Shibboleth Identity Provider 3 is installed and configured according to SWITCHaai Deployment guide   Network connectivity needed to ldap-test[1|2]aaiswitchch

  Relevant Hostname   Same name for all participants   aai-loginexampleorg

Page 5

copy 2015 SWITCH 5

Test AAI Login with Demo Service Provider

1  In Firefox open aai-demoswitchch (or click on bookmark) 2  Click on Any authenticated user 3  Select the Example Organisation 4  Log in using a test user (eg student1 password1)

copy 2015 SWITCH 6

Essential Commands for Linux DOS Command Linux Command dir ls -l

cd ltdirectorygt cd ltdirectorygt

mkdir or md ltdirectorygt mkdir ltdirectorygt

rmdir or rd ltdirectorygt rmdir ltdirectorygt

chdir pwd

del or erase ltfilegt rm ltfilegt

copy and xcopy ltfilegt cp and cp ndashR ltfilegt find or findstr ltfilegt grep ltstringgt ltfilegt

comp ltfile1gt ltfile2gt diff ltfile1gt ltfile2gt

edit ltfilegt nano or vim or emacs ltfilegt ping lthostgt ping lthostgt

reboot reboot

Page 6

copy 2015 SWITCH

File Editing Commands for Terminal Editor

Editor nano vim

Open file $ nano ltfilegt $ vim ltfilegt

Save file ltctrlgt-o ltescgt w

Save and exit

ltctrlgt-x ltescgt wq

Search string

ltctrlgt-w string ltescgt string

Go to line number

ltctrlgt-- number ltescgt number ltshiftgt-G

gedit is the recommended text editor Is started as root user Its icon is in the launch bar on the left side of the desktop

copy 2015 SWITCH 8

Tips and Tricks for Hands-On Session

 The user and root password for the VM is password

 Lines starting with $ are commands to be executed

 Command should be executed as root user  Happens automatically if Terminal is opened or if text editor is used

 Character is line break symbol which allows to break a line when typed

 Watch out for invalid XMLconfiguration errors  Consult Debugging handout for hints to resolve problems

Page 7

copy 2015 SWITCH 9

More Tips and Tricks for Hands-On Session

 Restart the Tomcat daemon after changes  Unless otherwise mentioned

 Delete session cookies after changes (or restart browser)  Should not be necessary but is safer for testing

 SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog

 On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg

copy 2015 SWITCH 10

Test Users on your Identity Provider

 Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username student2 Password password2

UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms

Page 8

copy 2015 SWITCH

Important directories

  optshibboleth-idp

  Identity Provider Installation directory

  optshibboleth-idpconf

  Configuration files   optshibboleth-idplogs

  Log files like idp-processlog

  optshibboleth-idpcredentials   X509 certificates and private keys

  optshibboleth-idpedit-webapp   Changes for web application that survive upgrades

11

Page 9

SWITCHaai Team aaiswitchch

Configuration Pattern

Get used to Spring Beans and Properties

copy 2015 SWITCH

Whats that

2

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt

Page 10

copy 2015 SWITCH

Configuration Pattern of IdPv3

bull  The IdPv3 configuration builds upon the Spring Framework bull  Configuration is located in XML files bull  There are a lot of wired beans

bull  The whole configuration follows the same pattern bull  With some few exceptions

bull  Wonderfully flexible way to configure components but quite complicated for deployers

3

copy 2015 SWITCH

Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)

4

Page 11

copy 2015 SWITCH

Understanding Beans and Properties

bull The whole configuration of the IdP is specified by alot of beans

bull For convenience the essential configuration can bespecified by properties stored in properties files

bull Still from time to time you will need to directly modifybeans or create new ones

bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts

5

copy 2015 SWITCH

Examples of Properties

Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties

LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull Each line consists of a pair of a key and a valuebull Comment lines start with an character

6

Page 12

copy 2015 SWITCH

Examples of Beans

bull  Each bean has some name (id) bull  Each bean has some type (class) bull  Attributes (parameters) specify the beans configuration bull  Beans can refer to other beans (wiring)

7

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

Configuration file optshibboleth-idpconfauthnldap-authn-configxml

copy 2015 SWITCH

Examples of Beans bull  There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8

Page 13

copy 2015 SWITCH

References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull  Configuration

httpswikishibbolethnetconfluencedisplayIDP30Configuration bull  Spring Configuration

httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration

9

Page 14

SWITCHaai Team aaiswitchch

User Authentication How to do it the v3 way

IdP

copy 2015 SWITCH

From Login Handlers to Login Flows bull  v2 uses Login Handlers

bull  Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)

bull  Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))

bull  v3 uses Login Flows (also called Authentication Flows) bull  Typicaldefault setup Password login flow

bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)

bull  Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development

2

Page 15

copy 2015 SWITCH

Login Flows

3

Shibboleth IdP

RemoteUser Authentication Flow

SAML Request

SAML Response

Authentication Engine Selects suitable flow and executes it

X509 Authentication Flow

Password Authentication Flow

copy 2015 SWITCH

Login Flows bull  One or several flows can be activated bull  The authentication engine of the IdP selects a suitable flow

depending on several criteria bull  Does the SP request a specific authentication context type bull  Does the SP request forced authentication bull  Does the SP request passive authentication

bull  In practice most deployments will use the Password login flow as the only one

bull  ECP is supported out-of-the-box by the Password login flow No special configuration is required bull  But Client must support ECP appropriately

4

Page 16

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy 2015 SWITCH

bull  the IdP requires a relational database for storing persistent identifiers and user consent data

bull  for a single-instance IdP install an SQL database which is packaged by the OS vendor

bull  starting with the IdP v3 deployment guide and when installed on the same system as the IdP SWITCH is favoring PostgreSQL ndash PostgreSQL has a long track record of close SQL standards compliance ndash MariaDB 55 (community-developed source fork of MySQL) would also

be available as a vendor-supplied package but for Ubuntu only in the ldquouniverserdquo component ndash ie without official support for security updates

bull  your favorite RDBMS can be used as well of course ndash a JDBC connector is almost all it takes ndash in particular for clusters other RDBMSes might be better fits

Persistent ID and user consent storage

5

copy 2015 SWITCH

bull etchosts is your friend bull Set up the IdP v3 on a completely new system bull  retain the existing entity ID SAML endpoints and the

SAML certificate bull with SAML 2 most IdP traffic is now front channel

ndash straightforward testing possible by simple edits of your hosts file 192023 aai-loginexampleorg

bull  for back-channel testing a temporary change to an SPrsquos hosts file can be an option

Testing strategy

6

Page 3

Test of the VM Images Boot VM image and test network connectivity

SWITCHaai Team aaiswitchch

copy 2015 SWITCH 2

General Information

 Course material is adapted for use in SWITCHaai

 Course material will be published online  Check httpswwwswitchchaaidocstraining

 If you see this on a slide hands-on work is required

Page 4

copy 2015 SWITCH 3

Boot up the image 1  Open SWITCH-Shibboleth-Trainingvbox in Virtual Box

2  Start the virtual machine (VM)

3  After login Firefox will open automatically Ensure that it displays this page If you dont see this message contact an assistant

copy 2015 SWITCH 4

VM Operating System Environment

  Ubuntu 14042 LTS Virtual BoxVMWare VDK image   User idp-admin Password password (in sudoers list)

  Apache 2 on ports 80 (http) and 443 (https)

  Self-signed SSL web server certificate

  Shibboleth Identity Provider 3 is installed and configured according to SWITCHaai Deployment guide   Network connectivity needed to ldap-test[1|2]aaiswitchch

  Relevant Hostname   Same name for all participants   aai-loginexampleorg

Page 5

copy 2015 SWITCH 5

Test AAI Login with Demo Service Provider

1  In Firefox open aai-demoswitchch (or click on bookmark) 2  Click on Any authenticated user 3  Select the Example Organisation 4  Log in using a test user (eg student1 password1)

copy 2015 SWITCH 6

Essential Commands for Linux DOS Command Linux Command dir ls -l

cd ltdirectorygt cd ltdirectorygt

mkdir or md ltdirectorygt mkdir ltdirectorygt

rmdir or rd ltdirectorygt rmdir ltdirectorygt

chdir pwd

del or erase ltfilegt rm ltfilegt

copy and xcopy ltfilegt cp and cp ndashR ltfilegt find or findstr ltfilegt grep ltstringgt ltfilegt

comp ltfile1gt ltfile2gt diff ltfile1gt ltfile2gt

edit ltfilegt nano or vim or emacs ltfilegt ping lthostgt ping lthostgt

reboot reboot

Page 6

copy 2015 SWITCH

File Editing Commands for Terminal Editor

Editor nano vim

Open file $ nano ltfilegt $ vim ltfilegt

Save file ltctrlgt-o ltescgt w

Save and exit

ltctrlgt-x ltescgt wq

Search string

ltctrlgt-w string ltescgt string

Go to line number

ltctrlgt-- number ltescgt number ltshiftgt-G

gedit is the recommended text editor Is started as root user Its icon is in the launch bar on the left side of the desktop

copy 2015 SWITCH 8

Tips and Tricks for Hands-On Session

 The user and root password for the VM is password

 Lines starting with $ are commands to be executed

 Command should be executed as root user  Happens automatically if Terminal is opened or if text editor is used

 Character is line break symbol which allows to break a line when typed

 Watch out for invalid XMLconfiguration errors  Consult Debugging handout for hints to resolve problems

Page 7

copy 2015 SWITCH 9

More Tips and Tricks for Hands-On Session

 Restart the Tomcat daemon after changes  Unless otherwise mentioned

 Delete session cookies after changes (or restart browser)  Should not be necessary but is safer for testing

 SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog

 On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg

copy 2015 SWITCH 10

Test Users on your Identity Provider

 Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username student2 Password password2

UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms

Page 8

copy 2015 SWITCH

Important directories

  optshibboleth-idp

  Identity Provider Installation directory

  optshibboleth-idpconf

  Configuration files   optshibboleth-idplogs

  Log files like idp-processlog

  optshibboleth-idpcredentials   X509 certificates and private keys

  optshibboleth-idpedit-webapp   Changes for web application that survive upgrades

11

Page 9

SWITCHaai Team aaiswitchch

Configuration Pattern

Get used to Spring Beans and Properties

copy 2015 SWITCH

Whats that

2

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt

Page 10

copy 2015 SWITCH

Configuration Pattern of IdPv3

bull  The IdPv3 configuration builds upon the Spring Framework bull  Configuration is located in XML files bull  There are a lot of wired beans

bull  The whole configuration follows the same pattern bull  With some few exceptions

bull  Wonderfully flexible way to configure components but quite complicated for deployers

3

copy 2015 SWITCH

Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)

4

Page 11

copy 2015 SWITCH

Understanding Beans and Properties

bull The whole configuration of the IdP is specified by alot of beans

bull For convenience the essential configuration can bespecified by properties stored in properties files

bull Still from time to time you will need to directly modifybeans or create new ones

bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts

5

copy 2015 SWITCH

Examples of Properties

Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties

LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull Each line consists of a pair of a key and a valuebull Comment lines start with an character

6

Page 12

copy 2015 SWITCH

Examples of Beans

bull  Each bean has some name (id) bull  Each bean has some type (class) bull  Attributes (parameters) specify the beans configuration bull  Beans can refer to other beans (wiring)

7

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

Configuration file optshibboleth-idpconfauthnldap-authn-configxml

copy 2015 SWITCH

Examples of Beans bull  There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8

Page 13

copy 2015 SWITCH

References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull  Configuration

httpswikishibbolethnetconfluencedisplayIDP30Configuration bull  Spring Configuration

httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration

9

Page 14

SWITCHaai Team aaiswitchch

User Authentication How to do it the v3 way

IdP

copy 2015 SWITCH

From Login Handlers to Login Flows bull  v2 uses Login Handlers

bull  Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)

bull  Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))

bull  v3 uses Login Flows (also called Authentication Flows) bull  Typicaldefault setup Password login flow

bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)

bull  Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development

2

Page 15

copy 2015 SWITCH

Login Flows

3

Shibboleth IdP

RemoteUser Authentication Flow

SAML Request

SAML Response

Authentication Engine Selects suitable flow and executes it

X509 Authentication Flow

Password Authentication Flow

copy 2015 SWITCH

Login Flows bull  One or several flows can be activated bull  The authentication engine of the IdP selects a suitable flow

depending on several criteria bull  Does the SP request a specific authentication context type bull  Does the SP request forced authentication bull  Does the SP request passive authentication

bull  In practice most deployments will use the Password login flow as the only one

bull  ECP is supported out-of-the-box by the Password login flow No special configuration is required bull  But Client must support ECP appropriately

4

Page 16

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

Test of the VM Images Boot VM image and test network connectivity

SWITCHaai Team aaiswitchch

copy 2015 SWITCH 2

General Information

 Course material is adapted for use in SWITCHaai

 Course material will be published online  Check httpswwwswitchchaaidocstraining

 If you see this on a slide hands-on work is required

Page 4

copy 2015 SWITCH 3

Boot up the image 1  Open SWITCH-Shibboleth-Trainingvbox in Virtual Box

2  Start the virtual machine (VM)

3  After login Firefox will open automatically Ensure that it displays this page If you dont see this message contact an assistant

copy 2015 SWITCH 4

VM Operating System Environment

  Ubuntu 14042 LTS Virtual BoxVMWare VDK image   User idp-admin Password password (in sudoers list)

  Apache 2 on ports 80 (http) and 443 (https)

  Self-signed SSL web server certificate

  Shibboleth Identity Provider 3 is installed and configured according to SWITCHaai Deployment guide   Network connectivity needed to ldap-test[1|2]aaiswitchch

  Relevant Hostname   Same name for all participants   aai-loginexampleorg

Page 5

copy 2015 SWITCH 5

Test AAI Login with Demo Service Provider

1  In Firefox open aai-demoswitchch (or click on bookmark) 2  Click on Any authenticated user 3  Select the Example Organisation 4  Log in using a test user (eg student1 password1)

copy 2015 SWITCH 6

Essential Commands for Linux DOS Command Linux Command dir ls -l

cd ltdirectorygt cd ltdirectorygt

mkdir or md ltdirectorygt mkdir ltdirectorygt

rmdir or rd ltdirectorygt rmdir ltdirectorygt

chdir pwd

del or erase ltfilegt rm ltfilegt

copy and xcopy ltfilegt cp and cp ndashR ltfilegt find or findstr ltfilegt grep ltstringgt ltfilegt

comp ltfile1gt ltfile2gt diff ltfile1gt ltfile2gt

edit ltfilegt nano or vim or emacs ltfilegt ping lthostgt ping lthostgt

reboot reboot

Page 6

copy 2015 SWITCH

File Editing Commands for Terminal Editor

Editor nano vim

Open file $ nano ltfilegt $ vim ltfilegt

Save file ltctrlgt-o ltescgt w

Save and exit

ltctrlgt-x ltescgt wq

Search string

ltctrlgt-w string ltescgt string

Go to line number

ltctrlgt-- number ltescgt number ltshiftgt-G

gedit is the recommended text editor Is started as root user Its icon is in the launch bar on the left side of the desktop

copy 2015 SWITCH 8

Tips and Tricks for Hands-On Session

 The user and root password for the VM is password

 Lines starting with $ are commands to be executed

 Command should be executed as root user  Happens automatically if Terminal is opened or if text editor is used

 Character is line break symbol which allows to break a line when typed

 Watch out for invalid XMLconfiguration errors  Consult Debugging handout for hints to resolve problems

Page 7

copy 2015 SWITCH 9

More Tips and Tricks for Hands-On Session

 Restart the Tomcat daemon after changes  Unless otherwise mentioned

 Delete session cookies after changes (or restart browser)  Should not be necessary but is safer for testing

 SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog

 On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg

copy 2015 SWITCH 10

Test Users on your Identity Provider

 Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username student2 Password password2

UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms

Page 8

copy 2015 SWITCH

Important directories

  optshibboleth-idp

  Identity Provider Installation directory

  optshibboleth-idpconf

  Configuration files   optshibboleth-idplogs

  Log files like idp-processlog

  optshibboleth-idpcredentials   X509 certificates and private keys

  optshibboleth-idpedit-webapp   Changes for web application that survive upgrades

11

Page 9

SWITCHaai Team aaiswitchch

Configuration Pattern

Get used to Spring Beans and Properties

copy 2015 SWITCH

Whats that

2

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt

Page 10

copy 2015 SWITCH

Configuration Pattern of IdPv3

bull  The IdPv3 configuration builds upon the Spring Framework bull  Configuration is located in XML files bull  There are a lot of wired beans

bull  The whole configuration follows the same pattern bull  With some few exceptions

bull  Wonderfully flexible way to configure components but quite complicated for deployers

3

copy 2015 SWITCH

Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)

4

Page 11

copy 2015 SWITCH

Understanding Beans and Properties

bull The whole configuration of the IdP is specified by alot of beans

bull For convenience the essential configuration can bespecified by properties stored in properties files

bull Still from time to time you will need to directly modifybeans or create new ones

bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts

5

copy 2015 SWITCH

Examples of Properties

Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties

LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull Each line consists of a pair of a key and a valuebull Comment lines start with an character

6

Page 12

copy 2015 SWITCH

Examples of Beans

bull  Each bean has some name (id) bull  Each bean has some type (class) bull  Attributes (parameters) specify the beans configuration bull  Beans can refer to other beans (wiring)

7

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

Configuration file optshibboleth-idpconfauthnldap-authn-configxml

copy 2015 SWITCH

Examples of Beans bull  There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8

Page 13

copy 2015 SWITCH

References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull  Configuration

httpswikishibbolethnetconfluencedisplayIDP30Configuration bull  Spring Configuration

httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration

9

Page 14

SWITCHaai Team aaiswitchch

User Authentication How to do it the v3 way

IdP

copy 2015 SWITCH

From Login Handlers to Login Flows bull  v2 uses Login Handlers

bull  Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)

bull  Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))

bull  v3 uses Login Flows (also called Authentication Flows) bull  Typicaldefault setup Password login flow

bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)

bull  Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development

2

Page 15

copy 2015 SWITCH

Login Flows

3

Shibboleth IdP

RemoteUser Authentication Flow

SAML Request

SAML Response

Authentication Engine Selects suitable flow and executes it

X509 Authentication Flow

Password Authentication Flow

copy 2015 SWITCH

Login Flows bull  One or several flows can be activated bull  The authentication engine of the IdP selects a suitable flow

depending on several criteria bull  Does the SP request a specific authentication context type bull  Does the SP request forced authentication bull  Does the SP request passive authentication

bull  In practice most deployments will use the Password login flow as the only one

bull  ECP is supported out-of-the-box by the Password login flow No special configuration is required bull  But Client must support ECP appropriately

4

Page 16

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy 2015 SWITCH 3

Boot up the image 1  Open SWITCH-Shibboleth-Trainingvbox in Virtual Box

2  Start the virtual machine (VM)

3  After login Firefox will open automatically Ensure that it displays this page If you dont see this message contact an assistant

copy 2015 SWITCH 4

VM Operating System Environment

  Ubuntu 14042 LTS Virtual BoxVMWare VDK image   User idp-admin Password password (in sudoers list)

  Apache 2 on ports 80 (http) and 443 (https)

  Self-signed SSL web server certificate

  Shibboleth Identity Provider 3 is installed and configured according to SWITCHaai Deployment guide   Network connectivity needed to ldap-test[1|2]aaiswitchch

  Relevant Hostname   Same name for all participants   aai-loginexampleorg

Page 5

copy 2015 SWITCH 5

Test AAI Login with Demo Service Provider

1  In Firefox open aai-demoswitchch (or click on bookmark) 2  Click on Any authenticated user 3  Select the Example Organisation 4  Log in using a test user (eg student1 password1)

copy 2015 SWITCH 6

Essential Commands for Linux DOS Command Linux Command dir ls -l

cd ltdirectorygt cd ltdirectorygt

mkdir or md ltdirectorygt mkdir ltdirectorygt

rmdir or rd ltdirectorygt rmdir ltdirectorygt

chdir pwd

del or erase ltfilegt rm ltfilegt

copy and xcopy ltfilegt cp and cp ndashR ltfilegt find or findstr ltfilegt grep ltstringgt ltfilegt

comp ltfile1gt ltfile2gt diff ltfile1gt ltfile2gt

edit ltfilegt nano or vim or emacs ltfilegt ping lthostgt ping lthostgt

reboot reboot

Page 6

copy 2015 SWITCH

File Editing Commands for Terminal Editor

Editor nano vim

Open file $ nano ltfilegt $ vim ltfilegt

Save file ltctrlgt-o ltescgt w

Save and exit

ltctrlgt-x ltescgt wq

Search string

ltctrlgt-w string ltescgt string

Go to line number

ltctrlgt-- number ltescgt number ltshiftgt-G

gedit is the recommended text editor Is started as root user Its icon is in the launch bar on the left side of the desktop

copy 2015 SWITCH 8

Tips and Tricks for Hands-On Session

 The user and root password for the VM is password

 Lines starting with $ are commands to be executed

 Command should be executed as root user  Happens automatically if Terminal is opened or if text editor is used

 Character is line break symbol which allows to break a line when typed

 Watch out for invalid XMLconfiguration errors  Consult Debugging handout for hints to resolve problems

Page 7

copy 2015 SWITCH 9

More Tips and Tricks for Hands-On Session

 Restart the Tomcat daemon after changes  Unless otherwise mentioned

 Delete session cookies after changes (or restart browser)  Should not be necessary but is safer for testing

 SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog

 On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg

copy 2015 SWITCH 10

Test Users on your Identity Provider

 Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username student2 Password password2

UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms

Page 8

copy 2015 SWITCH

Important directories

  optshibboleth-idp

  Identity Provider Installation directory

  optshibboleth-idpconf

  Configuration files   optshibboleth-idplogs

  Log files like idp-processlog

  optshibboleth-idpcredentials   X509 certificates and private keys

  optshibboleth-idpedit-webapp   Changes for web application that survive upgrades

11

Page 9

SWITCHaai Team aaiswitchch

Configuration Pattern

Get used to Spring Beans and Properties

copy 2015 SWITCH

Whats that

2

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt

Page 10

copy 2015 SWITCH

Configuration Pattern of IdPv3

bull  The IdPv3 configuration builds upon the Spring Framework bull  Configuration is located in XML files bull  There are a lot of wired beans

bull  The whole configuration follows the same pattern bull  With some few exceptions

bull  Wonderfully flexible way to configure components but quite complicated for deployers

3

copy 2015 SWITCH

Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)

4

Page 11

copy 2015 SWITCH

Understanding Beans and Properties

bull The whole configuration of the IdP is specified by alot of beans

bull For convenience the essential configuration can bespecified by properties stored in properties files

bull Still from time to time you will need to directly modifybeans or create new ones

bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts

5

copy 2015 SWITCH

Examples of Properties

Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties

LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull Each line consists of a pair of a key and a valuebull Comment lines start with an character

6

Page 12

copy 2015 SWITCH

Examples of Beans

bull  Each bean has some name (id) bull  Each bean has some type (class) bull  Attributes (parameters) specify the beans configuration bull  Beans can refer to other beans (wiring)

7

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

Configuration file optshibboleth-idpconfauthnldap-authn-configxml

copy 2015 SWITCH

Examples of Beans bull  There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8

Page 13

copy 2015 SWITCH

References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull  Configuration

httpswikishibbolethnetconfluencedisplayIDP30Configuration bull  Spring Configuration

httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration

9

Page 14

SWITCHaai Team aaiswitchch

User Authentication How to do it the v3 way

IdP

copy 2015 SWITCH

From Login Handlers to Login Flows bull  v2 uses Login Handlers

bull  Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)

bull  Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))

bull  v3 uses Login Flows (also called Authentication Flows) bull  Typicaldefault setup Password login flow

bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)

bull  Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development

2

Page 15

copy 2015 SWITCH

Login Flows

3

Shibboleth IdP

RemoteUser Authentication Flow

SAML Request

SAML Response

Authentication Engine Selects suitable flow and executes it

X509 Authentication Flow

Password Authentication Flow

copy 2015 SWITCH

Login Flows bull  One or several flows can be activated bull  The authentication engine of the IdP selects a suitable flow

depending on several criteria bull  Does the SP request a specific authentication context type bull  Does the SP request forced authentication bull  Does the SP request passive authentication

bull  In practice most deployments will use the Password login flow as the only one

bull  ECP is supported out-of-the-box by the Password login flow No special configuration is required bull  But Client must support ECP appropriately

4

Page 16

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy 2015 SWITCH 5

Test AAI Login with Demo Service Provider

1  In Firefox open aai-demoswitchch (or click on bookmark) 2  Click on Any authenticated user 3  Select the Example Organisation 4  Log in using a test user (eg student1 password1)

copy 2015 SWITCH 6

Essential Commands for Linux DOS Command Linux Command dir ls -l

cd ltdirectorygt cd ltdirectorygt

mkdir or md ltdirectorygt mkdir ltdirectorygt

rmdir or rd ltdirectorygt rmdir ltdirectorygt

chdir pwd

del or erase ltfilegt rm ltfilegt

copy and xcopy ltfilegt cp and cp ndashR ltfilegt find or findstr ltfilegt grep ltstringgt ltfilegt

comp ltfile1gt ltfile2gt diff ltfile1gt ltfile2gt

edit ltfilegt nano or vim or emacs ltfilegt ping lthostgt ping lthostgt

reboot reboot

Page 6

copy 2015 SWITCH

File Editing Commands for Terminal Editor

Editor nano vim

Open file $ nano ltfilegt $ vim ltfilegt

Save file ltctrlgt-o ltescgt w

Save and exit

ltctrlgt-x ltescgt wq

Search string

ltctrlgt-w string ltescgt string

Go to line number

ltctrlgt-- number ltescgt number ltshiftgt-G

gedit is the recommended text editor Is started as root user Its icon is in the launch bar on the left side of the desktop

copy 2015 SWITCH 8

Tips and Tricks for Hands-On Session

 The user and root password for the VM is password

 Lines starting with $ are commands to be executed

 Command should be executed as root user  Happens automatically if Terminal is opened or if text editor is used

 Character is line break symbol which allows to break a line when typed

 Watch out for invalid XMLconfiguration errors  Consult Debugging handout for hints to resolve problems

Page 7

copy 2015 SWITCH 9

More Tips and Tricks for Hands-On Session

 Restart the Tomcat daemon after changes  Unless otherwise mentioned

 Delete session cookies after changes (or restart browser)  Should not be necessary but is safer for testing

 SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog

 On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg

copy 2015 SWITCH 10

Test Users on your Identity Provider

 Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username student2 Password password2

UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms

Page 8

copy 2015 SWITCH

Important directories

  optshibboleth-idp

  Identity Provider Installation directory

  optshibboleth-idpconf

  Configuration files   optshibboleth-idplogs

  Log files like idp-processlog

  optshibboleth-idpcredentials   X509 certificates and private keys

  optshibboleth-idpedit-webapp   Changes for web application that survive upgrades

11

Page 9

SWITCHaai Team aaiswitchch

Configuration Pattern

Get used to Spring Beans and Properties

copy 2015 SWITCH

Whats that

2

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt

Page 10

copy 2015 SWITCH

Configuration Pattern of IdPv3

bull  The IdPv3 configuration builds upon the Spring Framework bull  Configuration is located in XML files bull  There are a lot of wired beans

bull  The whole configuration follows the same pattern bull  With some few exceptions

bull  Wonderfully flexible way to configure components but quite complicated for deployers

3

copy 2015 SWITCH

Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)

4

Page 11

copy 2015 SWITCH

Understanding Beans and Properties

bull The whole configuration of the IdP is specified by alot of beans

bull For convenience the essential configuration can bespecified by properties stored in properties files

bull Still from time to time you will need to directly modifybeans or create new ones

bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts

5

copy 2015 SWITCH

Examples of Properties

Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties

LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull Each line consists of a pair of a key and a valuebull Comment lines start with an character

6

Page 12

copy 2015 SWITCH

Examples of Beans

bull  Each bean has some name (id) bull  Each bean has some type (class) bull  Attributes (parameters) specify the beans configuration bull  Beans can refer to other beans (wiring)

7

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

Configuration file optshibboleth-idpconfauthnldap-authn-configxml

copy 2015 SWITCH

Examples of Beans bull  There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8

Page 13

copy 2015 SWITCH

References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull  Configuration

httpswikishibbolethnetconfluencedisplayIDP30Configuration bull  Spring Configuration

httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration

9

Page 14

SWITCHaai Team aaiswitchch

User Authentication How to do it the v3 way

IdP

copy 2015 SWITCH

From Login Handlers to Login Flows bull  v2 uses Login Handlers

bull  Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)

bull  Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))

bull  v3 uses Login Flows (also called Authentication Flows) bull  Typicaldefault setup Password login flow

bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)

bull  Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development

2

Page 15

copy 2015 SWITCH

Login Flows

3

Shibboleth IdP

RemoteUser Authentication Flow

SAML Request

SAML Response

Authentication Engine Selects suitable flow and executes it

X509 Authentication Flow

Password Authentication Flow

copy 2015 SWITCH

Login Flows bull  One or several flows can be activated bull  The authentication engine of the IdP selects a suitable flow

depending on several criteria bull  Does the SP request a specific authentication context type bull  Does the SP request forced authentication bull  Does the SP request passive authentication

bull  In practice most deployments will use the Password login flow as the only one

bull  ECP is supported out-of-the-box by the Password login flow No special configuration is required bull  But Client must support ECP appropriately

4

Page 16

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy 2015 SWITCH

File Editing Commands for Terminal Editor

Editor nano vim

Open file $ nano ltfilegt $ vim ltfilegt

Save file ltctrlgt-o ltescgt w

Save and exit

ltctrlgt-x ltescgt wq

Search string

ltctrlgt-w string ltescgt string

Go to line number

ltctrlgt-- number ltescgt number ltshiftgt-G

gedit is the recommended text editor Is started as root user Its icon is in the launch bar on the left side of the desktop

copy 2015 SWITCH 8

Tips and Tricks for Hands-On Session

 The user and root password for the VM is password

 Lines starting with $ are commands to be executed

 Command should be executed as root user  Happens automatically if Terminal is opened or if text editor is used

 Character is line break symbol which allows to break a line when typed

 Watch out for invalid XMLconfiguration errors  Consult Debugging handout for hints to resolve problems

Page 7

copy 2015 SWITCH 9

More Tips and Tricks for Hands-On Session

 Restart the Tomcat daemon after changes  Unless otherwise mentioned

 Delete session cookies after changes (or restart browser)  Should not be necessary but is safer for testing

 SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog

 On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg

copy 2015 SWITCH 10

Test Users on your Identity Provider

 Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username student2 Password password2

UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms

Page 8

copy 2015 SWITCH

Important directories

  optshibboleth-idp

  Identity Provider Installation directory

  optshibboleth-idpconf

  Configuration files   optshibboleth-idplogs

  Log files like idp-processlog

  optshibboleth-idpcredentials   X509 certificates and private keys

  optshibboleth-idpedit-webapp   Changes for web application that survive upgrades

11

Page 9

SWITCHaai Team aaiswitchch

Configuration Pattern

Get used to Spring Beans and Properties

copy 2015 SWITCH

Whats that

2

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt

Page 10

copy 2015 SWITCH

Configuration Pattern of IdPv3

bull  The IdPv3 configuration builds upon the Spring Framework bull  Configuration is located in XML files bull  There are a lot of wired beans

bull  The whole configuration follows the same pattern bull  With some few exceptions

bull  Wonderfully flexible way to configure components but quite complicated for deployers

3

copy 2015 SWITCH

Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)

4

Page 11

copy 2015 SWITCH

Understanding Beans and Properties

bull The whole configuration of the IdP is specified by alot of beans

bull For convenience the essential configuration can bespecified by properties stored in properties files

bull Still from time to time you will need to directly modifybeans or create new ones

bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts

5

copy 2015 SWITCH

Examples of Properties

Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties

LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull Each line consists of a pair of a key and a valuebull Comment lines start with an character

6

Page 12

copy 2015 SWITCH

Examples of Beans

bull  Each bean has some name (id) bull  Each bean has some type (class) bull  Attributes (parameters) specify the beans configuration bull  Beans can refer to other beans (wiring)

7

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

Configuration file optshibboleth-idpconfauthnldap-authn-configxml

copy 2015 SWITCH

Examples of Beans bull  There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8

Page 13

copy 2015 SWITCH

References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull  Configuration

httpswikishibbolethnetconfluencedisplayIDP30Configuration bull  Spring Configuration

httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration

9

Page 14

SWITCHaai Team aaiswitchch

User Authentication How to do it the v3 way

IdP

copy 2015 SWITCH

From Login Handlers to Login Flows bull  v2 uses Login Handlers

bull  Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)

bull  Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))

bull  v3 uses Login Flows (also called Authentication Flows) bull  Typicaldefault setup Password login flow

bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)

bull  Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development

2

Page 15

copy 2015 SWITCH

Login Flows

3

Shibboleth IdP

RemoteUser Authentication Flow

SAML Request

SAML Response

Authentication Engine Selects suitable flow and executes it

X509 Authentication Flow

Password Authentication Flow

copy 2015 SWITCH

Login Flows bull  One or several flows can be activated bull  The authentication engine of the IdP selects a suitable flow

depending on several criteria bull  Does the SP request a specific authentication context type bull  Does the SP request forced authentication bull  Does the SP request passive authentication

bull  In practice most deployments will use the Password login flow as the only one

bull  ECP is supported out-of-the-box by the Password login flow No special configuration is required bull  But Client must support ECP appropriately

4

Page 16

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy 2015 SWITCH 9

More Tips and Tricks for Hands-On Session

 Restart the Tomcat daemon after changes  Unless otherwise mentioned

 Delete session cookies after changes (or restart browser)  Should not be necessary but is safer for testing

 SSH access to connect to your VM (only with VirtualBox) $ ssh -p 2222 idp-admin127001 The password is password Useful for $ tail -f varlogshibbolethshibdlog

 On the VM you will find a web page with useful bookmarks In your web browser open httpsaai-loginexampleorg

copy 2015 SWITCH 10

Test Users on your Identity Provider

 Username student1 Password password1 UniqueID 2490257exampleorg Givenname surname Test1 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username student2 Password password2

UniqueID 8548997exampleorg Givenname surname Test2 Student Affiliation studentmember Entitlements urnmacedirentitlementcommon-lib-terms

 Username staff3 Password password3 UniqueID 7622788exampleorg Givenname surname Test3 Staff Affiliation staffmember Entitlements urnmacedirentitlementcommon-lib-terms

Page 8

copy 2015 SWITCH

Important directories

  optshibboleth-idp

  Identity Provider Installation directory

  optshibboleth-idpconf

  Configuration files   optshibboleth-idplogs

  Log files like idp-processlog

  optshibboleth-idpcredentials   X509 certificates and private keys

  optshibboleth-idpedit-webapp   Changes for web application that survive upgrades

11

Page 9

SWITCHaai Team aaiswitchch

Configuration Pattern

Get used to Spring Beans and Properties

copy 2015 SWITCH

Whats that

2

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt

Page 10

copy 2015 SWITCH

Configuration Pattern of IdPv3

bull  The IdPv3 configuration builds upon the Spring Framework bull  Configuration is located in XML files bull  There are a lot of wired beans

bull  The whole configuration follows the same pattern bull  With some few exceptions

bull  Wonderfully flexible way to configure components but quite complicated for deployers

3

copy 2015 SWITCH

Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)

4

Page 11

copy 2015 SWITCH

Understanding Beans and Properties

bull The whole configuration of the IdP is specified by alot of beans

bull For convenience the essential configuration can bespecified by properties stored in properties files

bull Still from time to time you will need to directly modifybeans or create new ones

bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts

5

copy 2015 SWITCH

Examples of Properties

Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties

LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull Each line consists of a pair of a key and a valuebull Comment lines start with an character

6

Page 12

copy 2015 SWITCH

Examples of Beans

bull  Each bean has some name (id) bull  Each bean has some type (class) bull  Attributes (parameters) specify the beans configuration bull  Beans can refer to other beans (wiring)

7

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

Configuration file optshibboleth-idpconfauthnldap-authn-configxml

copy 2015 SWITCH

Examples of Beans bull  There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8

Page 13

copy 2015 SWITCH

References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull  Configuration

httpswikishibbolethnetconfluencedisplayIDP30Configuration bull  Spring Configuration

httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration

9

Page 14

SWITCHaai Team aaiswitchch

User Authentication How to do it the v3 way

IdP

copy 2015 SWITCH

From Login Handlers to Login Flows bull  v2 uses Login Handlers

bull  Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)

bull  Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))

bull  v3 uses Login Flows (also called Authentication Flows) bull  Typicaldefault setup Password login flow

bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)

bull  Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development

2

Page 15

copy 2015 SWITCH

Login Flows

3

Shibboleth IdP

RemoteUser Authentication Flow

SAML Request

SAML Response

Authentication Engine Selects suitable flow and executes it

X509 Authentication Flow

Password Authentication Flow

copy 2015 SWITCH

Login Flows bull  One or several flows can be activated bull  The authentication engine of the IdP selects a suitable flow

depending on several criteria bull  Does the SP request a specific authentication context type bull  Does the SP request forced authentication bull  Does the SP request passive authentication

bull  In practice most deployments will use the Password login flow as the only one

bull  ECP is supported out-of-the-box by the Password login flow No special configuration is required bull  But Client must support ECP appropriately

4

Page 16

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy 2015 SWITCH

Important directories

  optshibboleth-idp

  Identity Provider Installation directory

  optshibboleth-idpconf

  Configuration files   optshibboleth-idplogs

  Log files like idp-processlog

  optshibboleth-idpcredentials   X509 certificates and private keys

  optshibboleth-idpedit-webapp   Changes for web application that survive upgrades

11

Page 9

SWITCHaai Team aaiswitchch

Configuration Pattern

Get used to Spring Beans and Properties

copy 2015 SWITCH

Whats that

2

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt

Page 10

copy 2015 SWITCH

Configuration Pattern of IdPv3

bull  The IdPv3 configuration builds upon the Spring Framework bull  Configuration is located in XML files bull  There are a lot of wired beans

bull  The whole configuration follows the same pattern bull  With some few exceptions

bull  Wonderfully flexible way to configure components but quite complicated for deployers

3

copy 2015 SWITCH

Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)

4

Page 11

copy 2015 SWITCH

Understanding Beans and Properties

bull The whole configuration of the IdP is specified by alot of beans

bull For convenience the essential configuration can bespecified by properties stored in properties files

bull Still from time to time you will need to directly modifybeans or create new ones

bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts

5

copy 2015 SWITCH

Examples of Properties

Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties

LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull Each line consists of a pair of a key and a valuebull Comment lines start with an character

6

Page 12

copy 2015 SWITCH

Examples of Beans

bull  Each bean has some name (id) bull  Each bean has some type (class) bull  Attributes (parameters) specify the beans configuration bull  Beans can refer to other beans (wiring)

7

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

Configuration file optshibboleth-idpconfauthnldap-authn-configxml

copy 2015 SWITCH

Examples of Beans bull  There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8

Page 13

copy 2015 SWITCH

References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull  Configuration

httpswikishibbolethnetconfluencedisplayIDP30Configuration bull  Spring Configuration

httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration

9

Page 14

SWITCHaai Team aaiswitchch

User Authentication How to do it the v3 way

IdP

copy 2015 SWITCH

From Login Handlers to Login Flows bull  v2 uses Login Handlers

bull  Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)

bull  Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))

bull  v3 uses Login Flows (also called Authentication Flows) bull  Typicaldefault setup Password login flow

bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)

bull  Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development

2

Page 15

copy 2015 SWITCH

Login Flows

3

Shibboleth IdP

RemoteUser Authentication Flow

SAML Request

SAML Response

Authentication Engine Selects suitable flow and executes it

X509 Authentication Flow

Password Authentication Flow

copy 2015 SWITCH

Login Flows bull  One or several flows can be activated bull  The authentication engine of the IdP selects a suitable flow

depending on several criteria bull  Does the SP request a specific authentication context type bull  Does the SP request forced authentication bull  Does the SP request passive authentication

bull  In practice most deployments will use the Password login flow as the only one

bull  ECP is supported out-of-the-box by the Password login flow No special configuration is required bull  But Client must support ECP appropriately

4

Page 16

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

SWITCHaai Team aaiswitchch

Configuration Pattern

Get used to Spring Beans and Properties

copy 2015 SWITCH

Whats that

2

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

lt-- Attribute Resolver Configuration --gt ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt lt-- Attribute Filter Configuration --gt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt

Page 10

copy 2015 SWITCH

Configuration Pattern of IdPv3

bull  The IdPv3 configuration builds upon the Spring Framework bull  Configuration is located in XML files bull  There are a lot of wired beans

bull  The whole configuration follows the same pattern bull  With some few exceptions

bull  Wonderfully flexible way to configure components but quite complicated for deployers

3

copy 2015 SWITCH

Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)

4

Page 11

copy 2015 SWITCH

Understanding Beans and Properties

bull The whole configuration of the IdP is specified by alot of beans

bull For convenience the essential configuration can bespecified by properties stored in properties files

bull Still from time to time you will need to directly modifybeans or create new ones

bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts

5

copy 2015 SWITCH

Examples of Properties

Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties

LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull Each line consists of a pair of a key and a valuebull Comment lines start with an character

6

Page 12

copy 2015 SWITCH

Examples of Beans

bull  Each bean has some name (id) bull  Each bean has some type (class) bull  Attributes (parameters) specify the beans configuration bull  Beans can refer to other beans (wiring)

7

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

Configuration file optshibboleth-idpconfauthnldap-authn-configxml

copy 2015 SWITCH

Examples of Beans bull  There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8

Page 13

copy 2015 SWITCH

References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull  Configuration

httpswikishibbolethnetconfluencedisplayIDP30Configuration bull  Spring Configuration

httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration

9

Page 14

SWITCHaai Team aaiswitchch

User Authentication How to do it the v3 way

IdP

copy 2015 SWITCH

From Login Handlers to Login Flows bull  v2 uses Login Handlers

bull  Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)

bull  Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))

bull  v3 uses Login Flows (also called Authentication Flows) bull  Typicaldefault setup Password login flow

bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)

bull  Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development

2

Page 15

copy 2015 SWITCH

Login Flows

3

Shibboleth IdP

RemoteUser Authentication Flow

SAML Request

SAML Response

Authentication Engine Selects suitable flow and executes it

X509 Authentication Flow

Password Authentication Flow

copy 2015 SWITCH

Login Flows bull  One or several flows can be activated bull  The authentication engine of the IdP selects a suitable flow

depending on several criteria bull  Does the SP request a specific authentication context type bull  Does the SP request forced authentication bull  Does the SP request passive authentication

bull  In practice most deployments will use the Password login flow as the only one

bull  ECP is supported out-of-the-box by the Password login flow No special configuration is required bull  But Client must support ECP appropriately

4

Page 16

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy 2015 SWITCH

Configuration Pattern of IdPv3

bull  The IdPv3 configuration builds upon the Spring Framework bull  Configuration is located in XML files bull  There are a lot of wired beans

bull  The whole configuration follows the same pattern bull  With some few exceptions

bull  Wonderfully flexible way to configure components but quite complicated for deployers

3

copy 2015 SWITCH

Understanding Beans and Properties Bean Some software object that is configurable by setting its attributes Property A piece of information keyed by some name (eg idpauthnLDAPuseSSL = true)

4

Page 11

copy 2015 SWITCH

Understanding Beans and Properties

bull The whole configuration of the IdP is specified by alot of beans

bull For convenience the essential configuration can bespecified by properties stored in properties files

bull Still from time to time you will need to directly modifybeans or create new ones

bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts

5

copy 2015 SWITCH

Examples of Properties

Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties

LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull Each line consists of a pair of a key and a valuebull Comment lines start with an character

6

Page 12

copy 2015 SWITCH

Examples of Beans

bull  Each bean has some name (id) bull  Each bean has some type (class) bull  Attributes (parameters) specify the beans configuration bull  Beans can refer to other beans (wiring)

7

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

Configuration file optshibboleth-idpconfauthnldap-authn-configxml

copy 2015 SWITCH

Examples of Beans bull  There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8

Page 13

copy 2015 SWITCH

References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull  Configuration

httpswikishibbolethnetconfluencedisplayIDP30Configuration bull  Spring Configuration

httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration

9

Page 14

SWITCHaai Team aaiswitchch

User Authentication How to do it the v3 way

IdP

copy 2015 SWITCH

From Login Handlers to Login Flows bull  v2 uses Login Handlers

bull  Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)

bull  Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))

bull  v3 uses Login Flows (also called Authentication Flows) bull  Typicaldefault setup Password login flow

bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)

bull  Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development

2

Page 15

copy 2015 SWITCH

Login Flows

3

Shibboleth IdP

RemoteUser Authentication Flow

SAML Request

SAML Response

Authentication Engine Selects suitable flow and executes it

X509 Authentication Flow

Password Authentication Flow

copy 2015 SWITCH

Login Flows bull  One or several flows can be activated bull  The authentication engine of the IdP selects a suitable flow

depending on several criteria bull  Does the SP request a specific authentication context type bull  Does the SP request forced authentication bull  Does the SP request passive authentication

bull  In practice most deployments will use the Password login flow as the only one

bull  ECP is supported out-of-the-box by the Password login flow No special configuration is required bull  But Client must support ECP appropriately

4

Page 16

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy 2015 SWITCH

Understanding Beans and Properties

bull The whole configuration of the IdP is specified by alot of beans

bull For convenience the essential configuration can bespecified by properties stored in properties files

bull Still from time to time you will need to directly modifybeans or create new ones

bull The beans are specified in XML notation and thecorresponding software objects are created at runtimewhen the IdP starts

5

copy 2015 SWITCH

Examples of Properties

Configuration file optshibboleth-idpconfFUHGHQWLDOVproperties

LDAP connection parametersidpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull Each line consists of a pair of a key and a valuebull Comment lines start with an character

6

Page 12

copy 2015 SWITCH

Examples of Beans

bull  Each bean has some name (id) bull  Each bean has some type (class) bull  Attributes (parameters) specify the beans configuration bull  Beans can refer to other beans (wiring)

7

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

Configuration file optshibboleth-idpconfauthnldap-authn-configxml

copy 2015 SWITCH

Examples of Beans bull  There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8

Page 13

copy 2015 SWITCH

References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull  Configuration

httpswikishibbolethnetconfluencedisplayIDP30Configuration bull  Spring Configuration

httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration

9

Page 14

SWITCHaai Team aaiswitchch

User Authentication How to do it the v3 way

IdP

copy 2015 SWITCH

From Login Handlers to Login Flows bull  v2 uses Login Handlers

bull  Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)

bull  Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))

bull  v3 uses Login Flows (also called Authentication Flows) bull  Typicaldefault setup Password login flow

bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)

bull  Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development

2

Page 15

copy 2015 SWITCH

Login Flows

3

Shibboleth IdP

RemoteUser Authentication Flow

SAML Request

SAML Response

Authentication Engine Selects suitable flow and executes it

X509 Authentication Flow

Password Authentication Flow

copy 2015 SWITCH

Login Flows bull  One or several flows can be activated bull  The authentication engine of the IdP selects a suitable flow

depending on several criteria bull  Does the SP request a specific authentication context type bull  Does the SP request forced authentication bull  Does the SP request passive authentication

bull  In practice most deployments will use the Password login flow as the only one

bull  ECP is supported out-of-the-box by the Password login flow No special configuration is required bull  But Client must support ECP appropriately

4

Page 16

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy 2015 SWITCH

Examples of Beans

bull  Each bean has some name (id) bull  Each bean has some type (class) bull  Attributes (parameters) specify the beans configuration bull  Beans can refer to other beans (wiring)

7

lt-- Connection Configuration --gt ltbean id=connectionConfig class=orgldaptiveConnectionConfig abstract=true pldapUrl=idpauthnLDAPldapURL puseStartTLS=idpauthnLDAPuseStartTLStrue puseSSL=idpauthnLDAPuseSSLfalse pconnectTimeout=idpauthnLDAPconnectTimeout3000 psslConfig-ref=sslConfig gt

Configuration file optshibboleth-idpconfauthnldap-authn-configxml

copy 2015 SWITCH

Examples of Beans bull  There are some helper constructs to define beans Example Beans that are lists of values or lists of other beans Configuration file optshibboleth-idpconfservicesxml ltutillist id =shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltutillistgt ltutillist id =shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltutillistgt 8

Page 13

copy 2015 SWITCH

References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull  Configuration

httpswikishibbolethnetconfluencedisplayIDP30Configuration bull  Spring Configuration

httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration

9

Page 14

SWITCHaai Team aaiswitchch

User Authentication How to do it the v3 way

IdP

copy 2015 SWITCH

From Login Handlers to Login Flows bull  v2 uses Login Handlers

bull  Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)

bull  Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))

bull  v3 uses Login Flows (also called Authentication Flows) bull  Typicaldefault setup Password login flow

bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)

bull  Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development

2

Page 15

copy 2015 SWITCH

Login Flows

3

Shibboleth IdP

RemoteUser Authentication Flow

SAML Request

SAML Response

Authentication Engine Selects suitable flow and executes it

X509 Authentication Flow

Password Authentication Flow

copy 2015 SWITCH

Login Flows bull  One or several flows can be activated bull  The authentication engine of the IdP selects a suitable flow

depending on several criteria bull  Does the SP request a specific authentication context type bull  Does the SP request forced authentication bull  Does the SP request passive authentication

bull  In practice most deployments will use the Password login flow as the only one

bull  ECP is supported out-of-the-box by the Password login flow No special configuration is required bull  But Client must support ECP appropriately

4

Page 16

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy 2015 SWITCH

References For comprehensive information refer to the documentation on the Shibboleth Wiki Documentation bull  Configuration

httpswikishibbolethnetconfluencedisplayIDP30Configuration bull  Spring Configuration

httpswikishibbolethnetconfluencedisplayIDP30SpringConfiguration

9

Page 14

SWITCHaai Team aaiswitchch

User Authentication How to do it the v3 way

IdP

copy 2015 SWITCH

From Login Handlers to Login Flows bull  v2 uses Login Handlers

bull  Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)

bull  Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))

bull  v3 uses Login Flows (also called Authentication Flows) bull  Typicaldefault setup Password login flow

bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)

bull  Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development

2

Page 15

copy 2015 SWITCH

Login Flows

3

Shibboleth IdP

RemoteUser Authentication Flow

SAML Request

SAML Response

Authentication Engine Selects suitable flow and executes it

X509 Authentication Flow

Password Authentication Flow

copy 2015 SWITCH

Login Flows bull  One or several flows can be activated bull  The authentication engine of the IdP selects a suitable flow

depending on several criteria bull  Does the SP request a specific authentication context type bull  Does the SP request forced authentication bull  Does the SP request passive authentication

bull  In practice most deployments will use the Password login flow as the only one

bull  ECP is supported out-of-the-box by the Password login flow No special configuration is required bull  But Client must support ECP appropriately

4

Page 16

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

SWITCHaai Team aaiswitchch

User Authentication How to do it the v3 way

IdP

copy 2015 SWITCH

From Login Handlers to Login Flows bull  v2 uses Login Handlers

bull  Typicaldefault setup UsernamePassword login handler bull Usernamepassword login form bull Authentication via JAAS and LDAP (loginconfig)

bull  Additional login handlers are available built-in (eg RemoteUser) or as extension (eg X509 Kerberos (SPNEGO))

bull  v3 uses Login Flows (also called Authentication Flows) bull  Typicaldefault setup Password login flow

bull Usernamepassword login form bull Authentication via LDAP (natively) JAAS or Kerberos (usernamepassword)

bull  Additional login flows are available built-in (eg RemoteUser X509) A login flow for SPNEGOKerberos is in development

2

Page 15

copy 2015 SWITCH

Login Flows

3

Shibboleth IdP

RemoteUser Authentication Flow

SAML Request

SAML Response

Authentication Engine Selects suitable flow and executes it

X509 Authentication Flow

Password Authentication Flow

copy 2015 SWITCH

Login Flows bull  One or several flows can be activated bull  The authentication engine of the IdP selects a suitable flow

depending on several criteria bull  Does the SP request a specific authentication context type bull  Does the SP request forced authentication bull  Does the SP request passive authentication

bull  In practice most deployments will use the Password login flow as the only one

bull  ECP is supported out-of-the-box by the Password login flow No special configuration is required bull  But Client must support ECP appropriately

4

Page 16

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy 2015 SWITCH

Login Flows

3

Shibboleth IdP

RemoteUser Authentication Flow

SAML Request

SAML Response

Authentication Engine Selects suitable flow and executes it

X509 Authentication Flow

Password Authentication Flow

copy 2015 SWITCH

Login Flows bull  One or several flows can be activated bull  The authentication engine of the IdP selects a suitable flow

depending on several criteria bull  Does the SP request a specific authentication context type bull  Does the SP request forced authentication bull  Does the SP request passive authentication

bull  In practice most deployments will use the Password login flow as the only one

bull  ECP is supported out-of-the-box by the Password login flow No special configuration is required bull  But Client must support ECP appropriately

4

Page 16

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy 2015 SWITCH

Authentication Configuration bull  Login flow activation

bull  optshibboleth-idpconfidpproperties The active flows are specified via a regular expression (ie the order doesnt matter) idpauthnflows = Password idpauthnflows = X509|Password

bull  Per login flow configuration bull  optshibboleth-idpconfauthn-configxml

bull  Side note If multiple flows are activated the order of the flows as defined in confauthngeneral-authnxml might influence the flow selection process

5

copy 2015 SWITCH

Configuration Usernamepassword with LDAP bull  Most deployments use this authentication mechanism bull  Login flow for usernamepassword authentication

Password (activated by default) bull  Configuration is done in two properties files

bull  All LDAP parameters except credentials optshibboleth-idpconfldapproperties

bull  Credentials are stored separately (for security reasons) optshibboleth-idpconfcredentialsproperties

bull  The properties of the LDAP authentication can be re-used for the LDAP configuration of the attribute resolution (all defined in ldapproperties)

6

Page 17

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy 2015 SWITCH

Example Configuration bull  optshibboleth-idpconfldapproperties idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org

bull  optshibboleth-idpconfcredentialsproperties [] idpauthnLDAPbindDNCredential = secret []

7

copy 2015 SWITCH

Properties for LDAP authentication bull  General options

bull  idpauthnLDAPauthenticator User lookup and authentication method Must be set to bindSearchAuthenticator

bull  Connection options bull  idpauthnLDAPldapURL

URL of the LDAP server(s) Must start with ldap or ldaps (Multiple servers can be specified by listing multiple URLs separated by spaces)

bull  idpauthnLDAPuseStartTLS Enable TLS encryption for ldap URLs (port 389) (if not enabled the connection is not encrypted)

bull  idpauthnLDAPuseSSL Enable TLS encryption for ldaps URLs (port 636) Must usually be set to true

8

Page 18

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy 2015 SWITCH

Properties for LDAP authentication bull  Connection options (continued)

bull  idpauthnLDAPsslConfig Type of X509 certificate verification method Usually set to jvmTrust

bull  User Directory options bull  idpauthnLDAPbaseDN

Entry point in user directory bull  idpauthnLDAPsubtreeSearch

Enable searching the whole tree Usually set to true bull  idpauthnLDAPuserFilter

LDAP search filter Takes the login name as input

9

copy 2015 SWITCH

Properties for LDAP authentication bull  LDAP service user options

(The IdP connects to the LDAP server as this user to search for users) bull  idpauthnLDAPbindDN

Bind DN of the IdP service user bull  idpauthnLDAPbindDNCredential

Password of the IdP service user

(Further properties for LDAP are available but not described here See

the documentation for details)

10

Page 19

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy 2015 SWITCH

Hands-on 1 Explore the configuration Get familiar with properties files

bull  Which flows are enabled in optshibboleth-idpconfidpproperties (Hint idpauthnflows)

bull  optshibboleth-idpconfldapproperties bull  Which LDAP attribute holds the users login name bull  Which is the Distinguished Name (DN) of the service user the IdP

uses for connecting to the LDAP server

bull  Where is the password of the service user defined

11

copy 2015 SWITCH

Hands-on 1 Solutions bull  Enabled flows Password idpauthnflows = Password

bull  LDAP attribute holding the login name uid idpauthnLDAPuserFilter = (uid=user)

bull  DN of the service user the IdP searches users with cn=idpdc=exampledc=org

bull  In the file optshibboleth-idpconfcredentialsproperties (idpauthnLDAPbindDNCredential = secret)

12

Page 20

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy 2015 SWITCH

Hands-on 2 Migrate LDAP configuration from IdPv2

13

From IdPv2 File optshibboleth-idpconfloginproperties

ShibUserPassAuth eduvtmiddlewareldapjaasLdapLoginModule required ldapUrl=ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 baseDn=ou=Peopledc=exampledc=org bindDn=cn=idpdc=exampledc=org bindCredential=secret userField=uid subtreeSearch=true

PS Common and equivalent alternative to userField userFilter

userField=uid userFilter=uid=0

copy 2015 SWITCH

Hands-on 2 Solution

14

To IdPv3 File optshibboleth-idpconfldapproperties [] idpauthnLDAPauthenticator = bindSearchAuthenticator idpauthnLDAPldapURL = ldapsldap-test1aaiswitchch636 ldapsldap-test2aaiswitchch636 idpauthnLDAPuseStartTLS = false idpauthnLDAPuseSSL = true idpauthnLDAPsslConfig = jvmTrust idpauthnLDAPbaseDN = ou=Peopledc=exampledc=org idpauthnLDAPsubtreeSearch = true idpauthnLDAPuserFilter = (uid=user) idpauthnLDAPbindDN = cn=idpdc=exampledc=org []

File optshibboleth-idpconfldapproperties [] idpauthnLDAPbindDNCredential = secret []

Page 21

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy 2015 SWITCH

Advanced Topics bull  JAAS authentication as used in v2 is still supported in v3

bull  Supported by the Password login flow Needs to be activated in optshibboleth-idpconfauthnpassword-authn-configxml

bull  JAAS configuration file (corresponds to loginconfig) optshibboleth-idpconfauthnjaasconfig

bull  JAAS authentication is recommended for bull Connecting to multiple LDAP trees with different user bases

bull  Might be done with native LDAP authentication but requires complex configuration bull Connecting to other user directories like RDBMs (using specific JAAS module)

bull  See the documentation on the Shibboleth wiki for details

15

copy 2015 SWITCH

References Documentation bull  Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30AuthenticationConfiguration bull  Password Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30PasswordAuthnConfiguration bull  Password LDAP Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30LDAPAuthnConfiguration bull  Advanced LDAP Configuration

httpwwwldaptiveorgdocsguideauthentication bull  Password JAAS Authentication Configuration

httpswikishibbolethnetconfluencedisplayIDP30JAASAuthnConfiguration

16

Page 22

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy SWITCH 201513

Login Form Customization13Templates and Customization13

SWITCHaai Team13aaiswitchch13

copy SWITCH 201513

Overviewbull  How to13ndash Customize look and feel13ndash Customize messageslanguages13ndash Add text to your login site 1313

213

Page 23

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy SWITCH 201513 313

copy SWITCH 201513 413

Page 24

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy SWITCH 201513 513

copy SWITCH 201513

Layoutbull  Change the look and feel in 13optshibboleth-idpedit-webapp 1313(images and css)13

bull  Place additional web resources in the edit-webapp directory not the webapp directory The webapp directory is replaced upon every IdP upgrade13

bull  Rebuild the idpwar file and restart tomcat1313

613

Page 25

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy SWITCH 201513

Spring message propertiesbull  in optshibboleth-idpmessages you find13ndash  authn-messagespropertiesndash  error-messagespropertiesndash  consent-messagespropertiesthese messages are used in the velocity template

13bull  internationalization 13ndash  consent-messages_depropertiesndash  consent-messages_frproperties etc

13

713

copy SWITCH 201513

error-messagespropertiesin optshibboleth-idpmessageserror-messagesproperties1313 General strings13idptitle = Web Login Service13idptitlesuffix = Error13idplogo = imagesexampleorgpng13idplogoalt-text = Example Home Organisation13idplogotargeturl = httpwwwexampleorg13idpmessage = An unidentified error occurred13idpfooter = Insert your footer text here1313 Error key to title and message mappings13unexpectedtitle = Unexpected Error13unexpectedmessage = An unexpected error was encountered usually reflecting a configuration or software error13

813

Page 26

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313idploginloginTo = Login to13idploginusername = Username13idploginpassword = Password13idplogindonotcache = Dont Remember Login13idploginlogin = Login13idploginforgotPassword = Forgot your password13idploginforgotPasswordurl = httpssupportexampleorg13idploginneedHelp = Need Help13

913

copy SWITCH 201513

authn-messagespropertiesin optshibboleth-idpmessagesauthn-messagesproperties1313 Classified Login Error messages13UnknownUsername = bad-username13InvalidPassword = bad-password13ExpiredPassword = expired-password13AccountLocked = account-locked13bad-usernamemessage = The username you entered cannot be identified13bad-passwordmessage = The password you entered was incorrect13expired-passwordmessage = Your password has expired13account-lockedmessage = Your account is locked13

1013

Page 27

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy SWITCH 201513

Velocity Propertieslta class=aai href=springMessage(idploginforgotPasswordurl)gtspringMessageText(idploginforgotPassword Forgot your password)ltagt

1113

copy SWITCH 201513 1213

Page 28

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy SWITCH 201513

Velocitybull The Apache Velocity Engine is a free open-source

templating enginebull clean separation between the presentation tier and

business tiersbull VTL (Velocity Template Language)ndash References begin with $ndash Directives begin with ndash A single line comment begins with and finishes at

the end of the linendash Multi-line comments which begin with and end

with

1313

copy SWITCH 201513

Login and interceptbull The velocity templates are under

13optshibboleth-idpviewsndash loginvmndash login-errorvmndash interceptattribute-releasevmndash interceptterms-of-usevmndash errorvm

are most used (no restart required)13

bull Additional custom pages can be added eg forexpiring passwords locked accounts etc

1413

Page 29

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy SWITCH 201513

Some Velocity Propertiesbull $rpUIContextinformationURLbull $rpUIContextlogobull $rpUIContextorganizationDisplayNamebull $rpUIContextorganizationNamebull $rpUIContextorganizationURLbull $rpUIContextprivacyStatementURLbull $rpUIContextserviceDescriptionbull $rpUIContextserviceName

1513

copy SWITCH 201513

Velocity Propertiesset ($name= $rpUIContextServiceName()) if ($QDPH) ltdiv class=spacegt ltemgt$encoderencodeForHTML($name)ltemgt ltdivgt

end

1613

Page 30

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy SWITCH 201513

Hands On I bull  make the IdP logo disappear for screens smaller than

799 px13 13

1713

copy SWITCH 201513

Hands On II bull  return the following error message on the login form in

case of invalid username or incorrect password13

13ldquo The credentials you entered are incorrectrdquo1313

1813

Page 31

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy SWITCH 201513

Hands On III bull  Start to adapt the loginvm in such way that it looks like

your production IdP13

1913

copy SWITCH 201513

Example Solution I bull  define a css class idp_logo13media only screen and (max-width 799px) idp_logo displaynone bull  use the class in loginvmltimg class=idp_logo align=righthellipbull  rebuild and restart tomcat13sudo JAVACMD=usrbinjava optshibboleth-idpbin

buildsh -Didptargetdir=optshibboleth-idpsudo etcinitdtomcat7 restart 13 2013

Page 32

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

copy SWITCH 201513

Example Solution IIbull  Edit authn-messagesproperties1313UnknownUsername = bad-credentialsInvalidPassword = bad-credentialsbad-credentialsmessage = The credentials you entered are incorrect 13

2113

Page 33

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

Attribute ResolutionMigrating configuration to version 3

SWITCHaai Teamaaiswitchch

1

Attribute processing in IdP version 31 Resolution2 Filtering3 Encoding

copy 2015 SWITCH 2

Page 34

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

Compatibility with version 2

Same XML syntax as v2 should be nearly 100compatibleAny regression should be reported as a bug

Some deprecated elements are ignored

Exception scripted attribute definitionsDeprecated interfaces may require complex scripts tobe adapted

copy 2015 SWITCH

bull

bullbull

3

Why upgrade your configuration

No warning for using legacy configuration mode

Delete ignored elements

Grouping attribute definitions in separate files

Less misleading smaller files clearer

copy 2015 SWITCH

bullbullbull

4

Page 35

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

Deprecated items

Principal connectors

NameID encoders

Transient identifier attribute definitions

Persistent identifier data connectors and attributedefinitions

All replaced by NameID generationcomsumption seenext presentation

copy 2015 SWITCH

bullbullbullbull

5

New features in version 3

Property replacement myproperty

Move passwords in a dedicated file

Extract duplicated data like URLs

Can split configuration into several files

External Spring configuration for data connectors

Activation conditions on attribute encoders attributedefinitions and data connectors

copy 2015 SWITCH

bullbullbull

bullbullbull

6

Page 36

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

New features exampleltresolverDataConnector id=myStoredId xsitype=dcStoredId generatedAttributeID=persistentID sourceAttributeID=idppersistentIdsourceAttribute salt=idppersistentIdsalt queryTimeout=0gt ltresolverDependency ref=idppersistentIdsourceAttribute gt ltdcBeanManagedConnectiongt shibbolethPostgreSQLDataSource ltdcBeanManagedConnectiongtltresolverDataConnectorgt

copy 2015 SWITCH 7

Hands-shyon 1Add a new local attribute definition and release it to theattribute viewer

UZH SAP user IDSAP User ID used internally by University of ZuumlrichSAML1 Name urnmaceunizhchuzhSapUserIdSAML2 Name urnoid1361411181711213Friendly name uzhSAPUserIdFormat SAP-ltusernamegt

source Resource Registry

copy 2015 SWITCH 8

Page 37

Hands-shyon 1 solutionattribute-shyresolver-shylocalxml

New file with

ltresolverAttributeDefinition id=uzhSAPUserId xsitype=adTemplategt ltresolverDependency ref=uid gt ltresolverAttributeEncoder xsitype=encSAML1String name=urnmaceunizhchuzhSapUserId encodeType=false gt ltresolverAttributeEncoder xsitype=encSAML2String name=urnoid1361411181711213 friendlyName=uzhSAPUserId encodeType=false gt ltadTemplategtSAP-$uidltadTemplategt ltadSourceAttributegtuidltadSourceAttributegtltresolverAttributeDefinitiongt

copy 2015 SWITCH 9

Hands-shyon 1 solutionattribute-shyfilter-shylocalxml

New file with

ltafpAttributeFilterPolicy id=uzhSAPUserIdgt ltafpPolicyRequirementRule xsitype=basicAttributeRequesterString value=httpsattribute-vieweraaiswitchchshibboleth gt ltafpAttributeRule attributeID=uzhSAPUserIdgt ltafpPermitValueRule xsitype=basicANY gt ltafpAttributeRulegtltafpAttributeFilterPolicygt

Doable in Resource Registry too

copy 2015 SWITCH 10

Page 38

Hands-shyon 1 solutionservicesxml

Loads both new files

ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt

ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt

copy 2015 SWITCH 11

ScriptedAttribute differences

IdP API for scripts has changed

output attribute variable already created

setValues() removed

and more see ScriptedAttributeDefinition fordetails

Alternatives mapped or template attribute definitions

JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt

copy 2015 SWITCH

bullbullbullbull

bullbull

12

Page 39

Hands-shyon 1 solutionservicesxml

Loads both new files

ltutillist id=shibbolethAttributeResolverResourcesgt ltvaluegtidphomeconfattribute-resolver-switchaai-corexmlltvaluegt ltvaluegtidphomeconfattribute-resolver-connectorsxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-otherxmlltvaluegt ltvaluegtidphomeconfattribute-resolver-localxmlltvaluegtltutillistgt

ltutillist id=shibbolethAttributeFilterResourcesgt ltref bean=FileBackedSWITCHaaiAttributeFiltergt ltvaluegtidphomeconfattribute-filter-localxmlltvaluegtltutillistgt

copy 2015 SWITCH 11

ScriptedAttribute differences

IdP API for scripts has changed

output attribute variable already created

setValues() removed

and more see ScriptedAttributeDefinition fordetails

Alternatives mapped or template attribute definitions

JavaScript engine change between Java 7 (Rhino)and 8 (Nashorn) even more things to adapt

copy 2015 SWITCH

bullbullbullbull

bullbull

12

Page 39

Hands-shyon 2Add new eduPersonEntitlement values of the formhttpsexampleorggroupsltobjectClassgtusing the LDAP objectClass attribute without usingscript attributes

copy 2015 SWITCH 13

Hands-shyon 2 solutionCreate a new template attribute definition (withoutencoders) to generate the new values

ltresolverAttributeDefinition id=eduPersonEntitlementgroups xsitype=adTemplate sourceAttributeID=objectClass dependencyOnly=truegt ltresolverDependency ref=myLDAP gt ltadTemplategthttpsexampleorggroups$objectClassltadTemplategt ltadSourceAttributegtobjectClassltadSourceAttributegtltresolverAttributeDefinitiongt

Add that new attribute to the definition ofeduPersonEntitlement

ltresolverAttributeDefinition id=eduPersonEntitlement xsitype=adSimplegt ltresolverDependency ref=eduPersonEntitlementcommon-lib-terms gt ltresolverDependency ref=eduPersonEntitlementgroups gt lt-- rest of original definition --gtltresolverAttributeDefinitiongt

copy 2015 SWITCH 14

Page 40

References

Shibboleth wiki AttributeResolverConfiguration and itschild pages

Shibboleth wiki AttributeFilterConfiguration

Shibboleth wiki ScriptedAttributeDefinition

Rhino Migration Guide

copy 2015 SWITCH

bull

bullbullbull

15

Page 41

References

Shibboleth wiki AttributeResolverConfiguration and itschild pages

Shibboleth wiki AttributeFilterConfiguration

Shibboleth wiki ScriptedAttributeDefinition

Rhino Migration Guide

copy 2015 SWITCH

bull

bullbullbull

15

Page 41

Persistent IDs Configuration changes and database migration

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull a persistent revocable non-reassignable opaque targeted non-global identifier for identifying the subject in a SAML assertion [httpswikishibbolethnetconfluencedisplayCONCEPTNameIdentifiers]

bull  introduced in 2005 with the SAML V20 specification ldquoPersistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subjectrsquos actual identifier (for example username) The intent is to create a non-public pair-wise pseudonym to prevent the discovery of the subjectrsquos identity or activitiesrdquo

bull  first implemented in the Shibboleth IdP 2 full-featured persistent ID support requires a database

bull  configuration instructions included in the SWITCH IdP deployment guide since 2008 with MySQL as the suggested backend

Persistent IDs in SAML ndash short recap

2

Page 42

copy 2015 SWITCH

bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt

bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=

bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)

bull when used in a federation always qualified by the IdP and SP entity IDs

Persistent IDs in practice

3

copy 2015 SWITCH

bull no disruptive ones but a couple of things have happened behind the scenes

bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated

name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID

attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would

only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been

updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes

Persistent ID changes with the IdP v3

4

Page 43

copy 2015 SWITCH

bull  configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder

bull  to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml

bull  to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml

bull  finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)

Configuring the NameID generation service

5

copy 2015 SWITCH

bull  the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends

PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)

bull  ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql

bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump

Retaining persistent IDs from your v2 IdP

6

Page 44

copy 2015 SWITCH

bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid

bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)

bull dump the shibpid table to a file purge the table with truncate and reimport the records

bull  log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table

(Some ideas for) hands-on exercises

7

Page 45

User ConsentTransparency for attribute release

SWITCHaai Teamaaiswitchch

1

Part 1 Overview of user consent inIdP version 3

Part 2 Technical bits

copy 2015 SWITCH 2

Page 46

User consentTwo pieces

1 Attribute release consent [enabled]2 Terms of use consent [disabled]

Both prompt user on first access to every SP and againwhen attributes or terms change

copy 2015 SWITCH 3

Whats in version 3

Attribute release and terms of use consent now built in

Inspired by uApprove and uApproveJP plugins for v2

No consent data migration storage implementationsare not compatible

May be enabled or disabled per relying party and perprofile

Decisions logged

copy 2015 SWITCH

bullbullbull

bull

bull

4

Page 47

Differences with uApprove

User can select attributes to release [disabled]

Consent duration choices1 Ask me again if information changes

= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]

No regular expression for SP whiteblack lists

No translations provided

copy 2015 SWITCH

bullbull

bullbull

5

Why enable user consent

Easier to have now with v3 than with v2

Required by SWITCHaai Interfederation AccessDeclaration

Inform users about what personal data is transmittedin a more real-shytime fashion

Recommended to comply with data protection laws

copy 2015 SWITCH

bullbull

bull

bull

6

Page 48

Why (not) enable user consent

One more page to read and click through upon loginbut only the first time for each SP

Global consent disabled users cannot choose I dontcare about my privacy

Decide for all your users or let them decide

copy 2015 SWITCH

bull

bull

bull

7

When should consent be sought

All SPs the best option larr recommended

Outside your organisation good less clicks

Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland

copy 2015 SWITCH

bullbullbull

8

Page 49

Part 2 Technical bits

copy 2015 SWITCH 9

Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides

Post-shyauthentication flows

Attribute consent [enabled]

Terms of use consent [disabled]

copy 2015 SWITCH

bullbull

10

Page 50

Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]

ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt

copy 2015 SWITCH 11

Attribute consent configurationConfigured by Java properties inconfidpproperties

Consent duration options

Ask me again if information changesAlways available to users

Ask me again at next loginidpconsentallowDoNotRemember = true[true]

Do not ask me againidpconsentallowGlobal = false [true]

copy 2015 SWITCH

bull

bull

bull

12

Page 51

Attribute consent configurationPer attribute behaviour

Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]

Ask again if attribute values changeidpconsentcompareValues = true [false]

copy 2015 SWITCH

bull

bull

13

Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml

White amp black lists

Which attribute to prompt for [all except black list]

White list [empty] When filled any attribute not mentioned in a list isreleased without asking

Black list [transientId persistentIdeduPersonTargetedID]

Pattern match [not defined] copy 2015 SWITCH

bull

bull

bull14

Page 52

Intercept flow configurationAttribute display order (coming in version 320)

Alphabetical order by default

Except attributes in white list show up first

Set pattern to ^$ to catch all other attributes

Fully customised order implementjavautilComparatorltStringgt

copy 2015 SWITCH

bullbullbullbull

15

Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties

Terms for each SP

Default mapping using the entityID

httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []

Other mapping configurable but the key is stillentityID (default value available)

copy 2015 SWITCH

bull

bull

16

Page 53

Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml

Provided bean mapping entityIDs to values [disabled]

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17

Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP

copy 2015 SWITCH 18

Page 54

Hands-shyon solution

Enable terms-of-use flow in confrelying-partyxml

Change key bean in confinterceptconsent-intercept-configxml to

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt

copy 2015 SWITCH

bull

bull

19

Hands-shyon solution

Add text in messagesconsent-messagesproperties

my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want

copy 2015 SWITCH

bull

20

Page 55

References

Shibboleth wiki ConsentConfiguration

Shibboleth wiki RelyingPartyConfiguration

Google Guava Functions class Javadoc

copy 2015 SWITCH

bullbullbull

21

Appendix Disabling attributeconsent prompt for particular SPs

copy 2015 SWITCH 22

Page 56

copy 2015 SWITCH

bull on the wire (in a SAML assertion) ltNameID Format=urnoasisnamestcSAML20nameid-formatpersistent NameQualifier=httpsaai-loginexampleorgidpshibboleth SPNameQualifier=httpsspexampleorgshibbolethgtjQ+KQZR4OHyNi9702kW5KIQFhk=ltNameIDgt

bull attribute rendering in the Shibboleth SP (string) httpsaai-loginexampleorgidpshibbolethhttpsspexampleorgshibbolethjQ+KQZR4OHyNi9702kW5KIQFhk=

bull by default the Shibboleth IdP creates the persistent ID proper by calculating the SHA-1 hash of the SPrsquos entity ID plus a user attribute value plus an admin-specified salt (ie the output is 20 bytes Base64 encoded)

bull when used in a federation always qualified by the IdP and SP entity IDs

Persistent IDs in practice

3

copy 2015 SWITCH

bull no disruptive ones but a couple of things have happened behind the scenes

bull most importantly the IdP v3 brings a new dedicated NameID generation service ndash preferred over the previous method available in v2 which treated

name IDs as a sort of ldquospecial-purposerdquo attributes ndash deprecates the StoredId data connector and the SAML2NameID

attribute definition type ndash in a pure v3 configuration and an ideal SAML 2 world the IdP would

only include NameIDs in the ltSubjectgt element of an assertion ndash the configuration in the v3 SWITCH deployment guide has been

updated to the new-style generation as far as possible but still allows encoding of persistent IDs in SAML attributes

Persistent ID changes with the IdP v3

4

Page 43

copy 2015 SWITCH

bull  configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder

bull  to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml

bull  to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml

bull  finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)

Configuring the NameID generation service

5

copy 2015 SWITCH

bull  the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends

PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)

bull  ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql

bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump

Retaining persistent IDs from your v2 IdP

6

Page 44

copy 2015 SWITCH

bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid

bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)

bull dump the shibpid table to a file purge the table with truncate and reimport the records

bull  log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table

(Some ideas for) hands-on exercises

7

Page 45

User ConsentTransparency for attribute release

SWITCHaai Teamaaiswitchch

1

Part 1 Overview of user consent inIdP version 3

Part 2 Technical bits

copy 2015 SWITCH 2

Page 46

User consentTwo pieces

1 Attribute release consent [enabled]2 Terms of use consent [disabled]

Both prompt user on first access to every SP and againwhen attributes or terms change

copy 2015 SWITCH 3

Whats in version 3

Attribute release and terms of use consent now built in

Inspired by uApprove and uApproveJP plugins for v2

No consent data migration storage implementationsare not compatible

May be enabled or disabled per relying party and perprofile

Decisions logged

copy 2015 SWITCH

bullbullbull

bull

bull

4

Page 47

Differences with uApprove

User can select attributes to release [disabled]

Consent duration choices1 Ask me again if information changes

= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]

No regular expression for SP whiteblack lists

No translations provided

copy 2015 SWITCH

bullbull

bullbull

5

Why enable user consent

Easier to have now with v3 than with v2

Required by SWITCHaai Interfederation AccessDeclaration

Inform users about what personal data is transmittedin a more real-shytime fashion

Recommended to comply with data protection laws

copy 2015 SWITCH

bullbull

bull

bull

6

Page 48

Why (not) enable user consent

One more page to read and click through upon loginbut only the first time for each SP

Global consent disabled users cannot choose I dontcare about my privacy

Decide for all your users or let them decide

copy 2015 SWITCH

bull

bull

bull

7

When should consent be sought

All SPs the best option larr recommended

Outside your organisation good less clicks

Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland

copy 2015 SWITCH

bullbullbull

8

Page 49

Part 2 Technical bits

copy 2015 SWITCH 9

Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides

Post-shyauthentication flows

Attribute consent [enabled]

Terms of use consent [disabled]

copy 2015 SWITCH

bullbull

10

Page 50

Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]

ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt

copy 2015 SWITCH 11

Attribute consent configurationConfigured by Java properties inconfidpproperties

Consent duration options

Ask me again if information changesAlways available to users

Ask me again at next loginidpconsentallowDoNotRemember = true[true]

Do not ask me againidpconsentallowGlobal = false [true]

copy 2015 SWITCH

bull

bull

bull

12

Page 51

Attribute consent configurationPer attribute behaviour

Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]

Ask again if attribute values changeidpconsentcompareValues = true [false]

copy 2015 SWITCH

bull

bull

13

Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml

White amp black lists

Which attribute to prompt for [all except black list]

White list [empty] When filled any attribute not mentioned in a list isreleased without asking

Black list [transientId persistentIdeduPersonTargetedID]

Pattern match [not defined] copy 2015 SWITCH

bull

bull

bull14

Page 52

Intercept flow configurationAttribute display order (coming in version 320)

Alphabetical order by default

Except attributes in white list show up first

Set pattern to ^$ to catch all other attributes

Fully customised order implementjavautilComparatorltStringgt

copy 2015 SWITCH

bullbullbullbull

15

Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties

Terms for each SP

Default mapping using the entityID

httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []

Other mapping configurable but the key is stillentityID (default value available)

copy 2015 SWITCH

bull

bull

16

Page 53

Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml

Provided bean mapping entityIDs to values [disabled]

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17

Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP

copy 2015 SWITCH 18

Page 54

Hands-shyon solution

Enable terms-of-use flow in confrelying-partyxml

Change key bean in confinterceptconsent-intercept-configxml to

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt

copy 2015 SWITCH

bull

bull

19

Hands-shyon solution

Add text in messagesconsent-messagesproperties

my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want

copy 2015 SWITCH

bull

20

Page 55

References

Shibboleth wiki ConsentConfiguration

Shibboleth wiki RelyingPartyConfiguration

Google Guava Functions class Javadoc

copy 2015 SWITCH

bullbullbull

21

Appendix Disabling attributeconsent prompt for particular SPs

copy 2015 SWITCH 22

Page 56

copy 2015 SWITCH

bull  configure the parameters for the service in optshibboleth-idpconfsaml-nameidproperties idppersistentIdgenerator = shibbolethStoredPersistentIdGenerator idppersistentIdstore = PersistentIdStore idppersistentIdsourceAttribute = swissEduPersonUniqueIDwithoutAttributeEncoder

bull  to enable the generating side of the service remove the comments around the shibbolethSAML2PersistentGenerator bean reference in optshibboleth-idpconfsaml-nameidxml

bull  to support the reverse mapping (from a persistent ID back to a user) remove the comments around the c14nSAML2Persistent bean reference in optshibboleth-idpconfc14nsubject-c14nxml

bull  finally add the proper idppersistentIdsalt value to optshibboleth-idpconfcredentialsproperties (carry over from your v2 configuration)

Configuring the NameID generation service

5

copy 2015 SWITCH

bull  the database schema for the shibpid table remains unchanged bull when setting up a new IdP v3 from scratch SWITCH recommends

PostgreSQL as the database backend (unless relying on an existing separately hosted RDBMS)

bull  ldquotransferringrdquo the records from MySQL to PostgreSQL is straightforward meidpv2$ sudo mysqldump --compatible postgres --compact --no-create-info --result-file shibpidsql shibboleth shibpid meidpv3$ sudo -iu postgres psql shibboleth --file pathtoshibpidsql

bull make sure to import the records into an empty table ie execute sudo -u postgres psql shibboleth -c truncate shibpid before importing a newer version of a full dump

Retaining persistent IDs from your v2 IdP

6

Page 44

copy 2015 SWITCH

bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid

bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)

bull dump the shibpid table to a file purge the table with truncate and reimport the records

bull  log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table

(Some ideas for) hands-on exercises

7

Page 45

User ConsentTransparency for attribute release

SWITCHaai Teamaaiswitchch

1

Part 1 Overview of user consent inIdP version 3

Part 2 Technical bits

copy 2015 SWITCH 2

Page 46

User consentTwo pieces

1 Attribute release consent [enabled]2 Terms of use consent [disabled]

Both prompt user on first access to every SP and againwhen attributes or terms change

copy 2015 SWITCH 3

Whats in version 3

Attribute release and terms of use consent now built in

Inspired by uApprove and uApproveJP plugins for v2

No consent data migration storage implementationsare not compatible

May be enabled or disabled per relying party and perprofile

Decisions logged

copy 2015 SWITCH

bullbullbull

bull

bull

4

Page 47

Differences with uApprove

User can select attributes to release [disabled]

Consent duration choices1 Ask me again if information changes

= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]

No regular expression for SP whiteblack lists

No translations provided

copy 2015 SWITCH

bullbull

bullbull

5

Why enable user consent

Easier to have now with v3 than with v2

Required by SWITCHaai Interfederation AccessDeclaration

Inform users about what personal data is transmittedin a more real-shytime fashion

Recommended to comply with data protection laws

copy 2015 SWITCH

bullbull

bull

bull

6

Page 48

Why (not) enable user consent

One more page to read and click through upon loginbut only the first time for each SP

Global consent disabled users cannot choose I dontcare about my privacy

Decide for all your users or let them decide

copy 2015 SWITCH

bull

bull

bull

7

When should consent be sought

All SPs the best option larr recommended

Outside your organisation good less clicks

Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland

copy 2015 SWITCH

bullbullbull

8

Page 49

Part 2 Technical bits

copy 2015 SWITCH 9

Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides

Post-shyauthentication flows

Attribute consent [enabled]

Terms of use consent [disabled]

copy 2015 SWITCH

bullbull

10

Page 50

Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]

ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt

copy 2015 SWITCH 11

Attribute consent configurationConfigured by Java properties inconfidpproperties

Consent duration options

Ask me again if information changesAlways available to users

Ask me again at next loginidpconsentallowDoNotRemember = true[true]

Do not ask me againidpconsentallowGlobal = false [true]

copy 2015 SWITCH

bull

bull

bull

12

Page 51

Attribute consent configurationPer attribute behaviour

Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]

Ask again if attribute values changeidpconsentcompareValues = true [false]

copy 2015 SWITCH

bull

bull

13

Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml

White amp black lists

Which attribute to prompt for [all except black list]

White list [empty] When filled any attribute not mentioned in a list isreleased without asking

Black list [transientId persistentIdeduPersonTargetedID]

Pattern match [not defined] copy 2015 SWITCH

bull

bull

bull14

Page 52

Intercept flow configurationAttribute display order (coming in version 320)

Alphabetical order by default

Except attributes in white list show up first

Set pattern to ^$ to catch all other attributes

Fully customised order implementjavautilComparatorltStringgt

copy 2015 SWITCH

bullbullbullbull

15

Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties

Terms for each SP

Default mapping using the entityID

httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []

Other mapping configurable but the key is stillentityID (default value available)

copy 2015 SWITCH

bull

bull

16

Page 53

Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml

Provided bean mapping entityIDs to values [disabled]

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17

Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP

copy 2015 SWITCH 18

Page 54

Hands-shyon solution

Enable terms-of-use flow in confrelying-partyxml

Change key bean in confinterceptconsent-intercept-configxml to

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt

copy 2015 SWITCH

bull

bull

19

Hands-shyon solution

Add text in messagesconsent-messagesproperties

my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want

copy 2015 SWITCH

bull

20

Page 55

References

Shibboleth wiki ConsentConfiguration

Shibboleth wiki RelyingPartyConfiguration

Google Guava Functions class Javadoc

copy 2015 SWITCH

bullbullbull

21

Appendix Disabling attributeconsent prompt for particular SPs

copy 2015 SWITCH 22

Page 56

copy 2015 SWITCH

bull examine the current contents of the shibpid table $ sudo -iu postgres psql shibboleth shibboleth= pset pager off shibboleth= dS shibpid shibboleth= select from shibpid

bull delete a record from the shibpid table and ldquorecreaterdquo it by logging in again with the respective account (on the proper SP)

bull dump the shibpid table to a file purge the table with truncate and reimport the records

bull  log in to your v2 [test] IdP figure out the current number of shibpid records and make a dump of that table

(Some ideas for) hands-on exercises

7

Page 45

User ConsentTransparency for attribute release

SWITCHaai Teamaaiswitchch

1

Part 1 Overview of user consent inIdP version 3

Part 2 Technical bits

copy 2015 SWITCH 2

Page 46

User consentTwo pieces

1 Attribute release consent [enabled]2 Terms of use consent [disabled]

Both prompt user on first access to every SP and againwhen attributes or terms change

copy 2015 SWITCH 3

Whats in version 3

Attribute release and terms of use consent now built in

Inspired by uApprove and uApproveJP plugins for v2

No consent data migration storage implementationsare not compatible

May be enabled or disabled per relying party and perprofile

Decisions logged

copy 2015 SWITCH

bullbullbull

bull

bull

4

Page 47

Differences with uApprove

User can select attributes to release [disabled]

Consent duration choices1 Ask me again if information changes

= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]

No regular expression for SP whiteblack lists

No translations provided

copy 2015 SWITCH

bullbull

bullbull

5

Why enable user consent

Easier to have now with v3 than with v2

Required by SWITCHaai Interfederation AccessDeclaration

Inform users about what personal data is transmittedin a more real-shytime fashion

Recommended to comply with data protection laws

copy 2015 SWITCH

bullbull

bull

bull

6

Page 48

Why (not) enable user consent

One more page to read and click through upon loginbut only the first time for each SP

Global consent disabled users cannot choose I dontcare about my privacy

Decide for all your users or let them decide

copy 2015 SWITCH

bull

bull

bull

7

When should consent be sought

All SPs the best option larr recommended

Outside your organisation good less clicks

Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland

copy 2015 SWITCH

bullbullbull

8

Page 49

Part 2 Technical bits

copy 2015 SWITCH 9

Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides

Post-shyauthentication flows

Attribute consent [enabled]

Terms of use consent [disabled]

copy 2015 SWITCH

bullbull

10

Page 50

Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]

ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt

copy 2015 SWITCH 11

Attribute consent configurationConfigured by Java properties inconfidpproperties

Consent duration options

Ask me again if information changesAlways available to users

Ask me again at next loginidpconsentallowDoNotRemember = true[true]

Do not ask me againidpconsentallowGlobal = false [true]

copy 2015 SWITCH

bull

bull

bull

12

Page 51

Attribute consent configurationPer attribute behaviour

Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]

Ask again if attribute values changeidpconsentcompareValues = true [false]

copy 2015 SWITCH

bull

bull

13

Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml

White amp black lists

Which attribute to prompt for [all except black list]

White list [empty] When filled any attribute not mentioned in a list isreleased without asking

Black list [transientId persistentIdeduPersonTargetedID]

Pattern match [not defined] copy 2015 SWITCH

bull

bull

bull14

Page 52

Intercept flow configurationAttribute display order (coming in version 320)

Alphabetical order by default

Except attributes in white list show up first

Set pattern to ^$ to catch all other attributes

Fully customised order implementjavautilComparatorltStringgt

copy 2015 SWITCH

bullbullbullbull

15

Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties

Terms for each SP

Default mapping using the entityID

httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []

Other mapping configurable but the key is stillentityID (default value available)

copy 2015 SWITCH

bull

bull

16

Page 53

Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml

Provided bean mapping entityIDs to values [disabled]

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17

Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP

copy 2015 SWITCH 18

Page 54

Hands-shyon solution

Enable terms-of-use flow in confrelying-partyxml

Change key bean in confinterceptconsent-intercept-configxml to

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt

copy 2015 SWITCH

bull

bull

19

Hands-shyon solution

Add text in messagesconsent-messagesproperties

my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want

copy 2015 SWITCH

bull

20

Page 55

References

Shibboleth wiki ConsentConfiguration

Shibboleth wiki RelyingPartyConfiguration

Google Guava Functions class Javadoc

copy 2015 SWITCH

bullbullbull

21

Appendix Disabling attributeconsent prompt for particular SPs

copy 2015 SWITCH 22

Page 56

User ConsentTransparency for attribute release

SWITCHaai Teamaaiswitchch

1

Part 1 Overview of user consent inIdP version 3

Part 2 Technical bits

copy 2015 SWITCH 2

Page 46

User consentTwo pieces

1 Attribute release consent [enabled]2 Terms of use consent [disabled]

Both prompt user on first access to every SP and againwhen attributes or terms change

copy 2015 SWITCH 3

Whats in version 3

Attribute release and terms of use consent now built in

Inspired by uApprove and uApproveJP plugins for v2

No consent data migration storage implementationsare not compatible

May be enabled or disabled per relying party and perprofile

Decisions logged

copy 2015 SWITCH

bullbullbull

bull

bull

4

Page 47

Differences with uApprove

User can select attributes to release [disabled]

Consent duration choices1 Ask me again if information changes

= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]

No regular expression for SP whiteblack lists

No translations provided

copy 2015 SWITCH

bullbull

bullbull

5

Why enable user consent

Easier to have now with v3 than with v2

Required by SWITCHaai Interfederation AccessDeclaration

Inform users about what personal data is transmittedin a more real-shytime fashion

Recommended to comply with data protection laws

copy 2015 SWITCH

bullbull

bull

bull

6

Page 48

Why (not) enable user consent

One more page to read and click through upon loginbut only the first time for each SP

Global consent disabled users cannot choose I dontcare about my privacy

Decide for all your users or let them decide

copy 2015 SWITCH

bull

bull

bull

7

When should consent be sought

All SPs the best option larr recommended

Outside your organisation good less clicks

Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland

copy 2015 SWITCH

bullbullbull

8

Page 49

Part 2 Technical bits

copy 2015 SWITCH 9

Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides

Post-shyauthentication flows

Attribute consent [enabled]

Terms of use consent [disabled]

copy 2015 SWITCH

bullbull

10

Page 50

Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]

ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt

copy 2015 SWITCH 11

Attribute consent configurationConfigured by Java properties inconfidpproperties

Consent duration options

Ask me again if information changesAlways available to users

Ask me again at next loginidpconsentallowDoNotRemember = true[true]

Do not ask me againidpconsentallowGlobal = false [true]

copy 2015 SWITCH

bull

bull

bull

12

Page 51

Attribute consent configurationPer attribute behaviour

Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]

Ask again if attribute values changeidpconsentcompareValues = true [false]

copy 2015 SWITCH

bull

bull

13

Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml

White amp black lists

Which attribute to prompt for [all except black list]

White list [empty] When filled any attribute not mentioned in a list isreleased without asking

Black list [transientId persistentIdeduPersonTargetedID]

Pattern match [not defined] copy 2015 SWITCH

bull

bull

bull14

Page 52

Intercept flow configurationAttribute display order (coming in version 320)

Alphabetical order by default

Except attributes in white list show up first

Set pattern to ^$ to catch all other attributes

Fully customised order implementjavautilComparatorltStringgt

copy 2015 SWITCH

bullbullbullbull

15

Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties

Terms for each SP

Default mapping using the entityID

httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []

Other mapping configurable but the key is stillentityID (default value available)

copy 2015 SWITCH

bull

bull

16

Page 53

Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml

Provided bean mapping entityIDs to values [disabled]

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17

Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP

copy 2015 SWITCH 18

Page 54

Hands-shyon solution

Enable terms-of-use flow in confrelying-partyxml

Change key bean in confinterceptconsent-intercept-configxml to

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt

copy 2015 SWITCH

bull

bull

19

Hands-shyon solution

Add text in messagesconsent-messagesproperties

my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want

copy 2015 SWITCH

bull

20

Page 55

References

Shibboleth wiki ConsentConfiguration

Shibboleth wiki RelyingPartyConfiguration

Google Guava Functions class Javadoc

copy 2015 SWITCH

bullbullbull

21

Appendix Disabling attributeconsent prompt for particular SPs

copy 2015 SWITCH 22

Page 56

User consentTwo pieces

1 Attribute release consent [enabled]2 Terms of use consent [disabled]

Both prompt user on first access to every SP and againwhen attributes or terms change

copy 2015 SWITCH 3

Whats in version 3

Attribute release and terms of use consent now built in

Inspired by uApprove and uApproveJP plugins for v2

No consent data migration storage implementationsare not compatible

May be enabled or disabled per relying party and perprofile

Decisions logged

copy 2015 SWITCH

bullbullbull

bull

bull

4

Page 47

Differences with uApprove

User can select attributes to release [disabled]

Consent duration choices1 Ask me again if information changes

= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]

No regular expression for SP whiteblack lists

No translations provided

copy 2015 SWITCH

bullbull

bullbull

5

Why enable user consent

Easier to have now with v3 than with v2

Required by SWITCHaai Interfederation AccessDeclaration

Inform users about what personal data is transmittedin a more real-shytime fashion

Recommended to comply with data protection laws

copy 2015 SWITCH

bullbull

bull

bull

6

Page 48

Why (not) enable user consent

One more page to read and click through upon loginbut only the first time for each SP

Global consent disabled users cannot choose I dontcare about my privacy

Decide for all your users or let them decide

copy 2015 SWITCH

bull

bull

bull

7

When should consent be sought

All SPs the best option larr recommended

Outside your organisation good less clicks

Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland

copy 2015 SWITCH

bullbullbull

8

Page 49

Part 2 Technical bits

copy 2015 SWITCH 9

Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides

Post-shyauthentication flows

Attribute consent [enabled]

Terms of use consent [disabled]

copy 2015 SWITCH

bullbull

10

Page 50

Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]

ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt

copy 2015 SWITCH 11

Attribute consent configurationConfigured by Java properties inconfidpproperties

Consent duration options

Ask me again if information changesAlways available to users

Ask me again at next loginidpconsentallowDoNotRemember = true[true]

Do not ask me againidpconsentallowGlobal = false [true]

copy 2015 SWITCH

bull

bull

bull

12

Page 51

Attribute consent configurationPer attribute behaviour

Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]

Ask again if attribute values changeidpconsentcompareValues = true [false]

copy 2015 SWITCH

bull

bull

13

Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml

White amp black lists

Which attribute to prompt for [all except black list]

White list [empty] When filled any attribute not mentioned in a list isreleased without asking

Black list [transientId persistentIdeduPersonTargetedID]

Pattern match [not defined] copy 2015 SWITCH

bull

bull

bull14

Page 52

Intercept flow configurationAttribute display order (coming in version 320)

Alphabetical order by default

Except attributes in white list show up first

Set pattern to ^$ to catch all other attributes

Fully customised order implementjavautilComparatorltStringgt

copy 2015 SWITCH

bullbullbullbull

15

Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties

Terms for each SP

Default mapping using the entityID

httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []

Other mapping configurable but the key is stillentityID (default value available)

copy 2015 SWITCH

bull

bull

16

Page 53

Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml

Provided bean mapping entityIDs to values [disabled]

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17

Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP

copy 2015 SWITCH 18

Page 54

Hands-shyon solution

Enable terms-of-use flow in confrelying-partyxml

Change key bean in confinterceptconsent-intercept-configxml to

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt

copy 2015 SWITCH

bull

bull

19

Hands-shyon solution

Add text in messagesconsent-messagesproperties

my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want

copy 2015 SWITCH

bull

20

Page 55

References

Shibboleth wiki ConsentConfiguration

Shibboleth wiki RelyingPartyConfiguration

Google Guava Functions class Javadoc

copy 2015 SWITCH

bullbullbull

21

Appendix Disabling attributeconsent prompt for particular SPs

copy 2015 SWITCH 22

Page 56

Differences with uApprove

User can select attributes to release [disabled]

Consent duration choices1 Ask me again if information changes

= if set of attributes changes2 Ask me again at next login [enabled]3 Do not ask me again ever for any SP [enabled]

No regular expression for SP whiteblack lists

No translations provided

copy 2015 SWITCH

bullbull

bullbull

5

Why enable user consent

Easier to have now with v3 than with v2

Required by SWITCHaai Interfederation AccessDeclaration

Inform users about what personal data is transmittedin a more real-shytime fashion

Recommended to comply with data protection laws

copy 2015 SWITCH

bullbull

bull

bull

6

Page 48

Why (not) enable user consent

One more page to read and click through upon loginbut only the first time for each SP

Global consent disabled users cannot choose I dontcare about my privacy

Decide for all your users or let them decide

copy 2015 SWITCH

bull

bull

bull

7

When should consent be sought

All SPs the best option larr recommended

Outside your organisation good less clicks

Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland

copy 2015 SWITCH

bullbullbull

8

Page 49

Part 2 Technical bits

copy 2015 SWITCH 9

Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides

Post-shyauthentication flows

Attribute consent [enabled]

Terms of use consent [disabled]

copy 2015 SWITCH

bullbull

10

Page 50

Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]

ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt

copy 2015 SWITCH 11

Attribute consent configurationConfigured by Java properties inconfidpproperties

Consent duration options

Ask me again if information changesAlways available to users

Ask me again at next loginidpconsentallowDoNotRemember = true[true]

Do not ask me againidpconsentallowGlobal = false [true]

copy 2015 SWITCH

bull

bull

bull

12

Page 51

Attribute consent configurationPer attribute behaviour

Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]

Ask again if attribute values changeidpconsentcompareValues = true [false]

copy 2015 SWITCH

bull

bull

13

Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml

White amp black lists

Which attribute to prompt for [all except black list]

White list [empty] When filled any attribute not mentioned in a list isreleased without asking

Black list [transientId persistentIdeduPersonTargetedID]

Pattern match [not defined] copy 2015 SWITCH

bull

bull

bull14

Page 52

Intercept flow configurationAttribute display order (coming in version 320)

Alphabetical order by default

Except attributes in white list show up first

Set pattern to ^$ to catch all other attributes

Fully customised order implementjavautilComparatorltStringgt

copy 2015 SWITCH

bullbullbullbull

15

Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties

Terms for each SP

Default mapping using the entityID

httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []

Other mapping configurable but the key is stillentityID (default value available)

copy 2015 SWITCH

bull

bull

16

Page 53

Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml

Provided bean mapping entityIDs to values [disabled]

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17

Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP

copy 2015 SWITCH 18

Page 54

Hands-shyon solution

Enable terms-of-use flow in confrelying-partyxml

Change key bean in confinterceptconsent-intercept-configxml to

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt

copy 2015 SWITCH

bull

bull

19

Hands-shyon solution

Add text in messagesconsent-messagesproperties

my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want

copy 2015 SWITCH

bull

20

Page 55

References

Shibboleth wiki ConsentConfiguration

Shibboleth wiki RelyingPartyConfiguration

Google Guava Functions class Javadoc

copy 2015 SWITCH

bullbullbull

21

Appendix Disabling attributeconsent prompt for particular SPs

copy 2015 SWITCH 22

Page 56

Why (not) enable user consent

One more page to read and click through upon loginbut only the first time for each SP

Global consent disabled users cannot choose I dontcare about my privacy

Decide for all your users or let them decide

copy 2015 SWITCH

bull

bull

bull

7

When should consent be sought

All SPs the best option larr recommended

Outside your organisation good less clicks

Outside CH currently no technical means todistinguish Swiss SPs and the data might not evenbe stored in Switzerland

copy 2015 SWITCH

bullbullbull

8

Page 49

Part 2 Technical bits

copy 2015 SWITCH 9

Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides

Post-shyauthentication flows

Attribute consent [enabled]

Terms of use consent [disabled]

copy 2015 SWITCH

bullbull

10

Page 50

Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]

ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt

copy 2015 SWITCH 11

Attribute consent configurationConfigured by Java properties inconfidpproperties

Consent duration options

Ask me again if information changesAlways available to users

Ask me again at next loginidpconsentallowDoNotRemember = true[true]

Do not ask me againidpconsentallowGlobal = false [true]

copy 2015 SWITCH

bull

bull

bull

12

Page 51

Attribute consent configurationPer attribute behaviour

Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]

Ask again if attribute values changeidpconsentcompareValues = true [false]

copy 2015 SWITCH

bull

bull

13

Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml

White amp black lists

Which attribute to prompt for [all except black list]

White list [empty] When filled any attribute not mentioned in a list isreleased without asking

Black list [transientId persistentIdeduPersonTargetedID]

Pattern match [not defined] copy 2015 SWITCH

bull

bull

bull14

Page 52

Intercept flow configurationAttribute display order (coming in version 320)

Alphabetical order by default

Except attributes in white list show up first

Set pattern to ^$ to catch all other attributes

Fully customised order implementjavautilComparatorltStringgt

copy 2015 SWITCH

bullbullbullbull

15

Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties

Terms for each SP

Default mapping using the entityID

httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []

Other mapping configurable but the key is stillentityID (default value available)

copy 2015 SWITCH

bull

bull

16

Page 53

Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml

Provided bean mapping entityIDs to values [disabled]

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17

Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP

copy 2015 SWITCH 18

Page 54

Hands-shyon solution

Enable terms-of-use flow in confrelying-partyxml

Change key bean in confinterceptconsent-intercept-configxml to

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt

copy 2015 SWITCH

bull

bull

19

Hands-shyon solution

Add text in messagesconsent-messagesproperties

my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want

copy 2015 SWITCH

bull

20

Page 55

References

Shibboleth wiki ConsentConfiguration

Shibboleth wiki RelyingPartyConfiguration

Google Guava Functions class Javadoc

copy 2015 SWITCH

bullbullbull

21

Appendix Disabling attributeconsent prompt for particular SPs

copy 2015 SWITCH 22

Page 56

Part 2 Technical bits

copy 2015 SWITCH 9

Global configuration optionsConfigured by Spring beans in confrelying-partyxml see comments inside for overrides

Post-shyauthentication flows

Attribute consent [enabled]

Terms of use consent [disabled]

copy 2015 SWITCH

bullbull

10

Page 50

Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]

ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt

copy 2015 SWITCH 11

Attribute consent configurationConfigured by Java properties inconfidpproperties

Consent duration options

Ask me again if information changesAlways available to users

Ask me again at next loginidpconsentallowDoNotRemember = true[true]

Do not ask me againidpconsentallowGlobal = false [true]

copy 2015 SWITCH

bull

bull

bull

12

Page 51

Attribute consent configurationPer attribute behaviour

Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]

Ask again if attribute values changeidpconsentcompareValues = true [false]

copy 2015 SWITCH

bull

bull

13

Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml

White amp black lists

Which attribute to prompt for [all except black list]

White list [empty] When filled any attribute not mentioned in a list isreleased without asking

Black list [transientId persistentIdeduPersonTargetedID]

Pattern match [not defined] copy 2015 SWITCH

bull

bull

bull14

Page 52

Intercept flow configurationAttribute display order (coming in version 320)

Alphabetical order by default

Except attributes in white list show up first

Set pattern to ^$ to catch all other attributes

Fully customised order implementjavautilComparatorltStringgt

copy 2015 SWITCH

bullbullbullbull

15

Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties

Terms for each SP

Default mapping using the entityID

httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []

Other mapping configurable but the key is stillentityID (default value available)

copy 2015 SWITCH

bull

bull

16

Page 53

Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml

Provided bean mapping entityIDs to values [disabled]

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17

Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP

copy 2015 SWITCH 18

Page 54

Hands-shyon solution

Enable terms-of-use flow in confrelying-partyxml

Change key bean in confinterceptconsent-intercept-configxml to

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt

copy 2015 SWITCH

bull

bull

19

Hands-shyon solution

Add text in messagesconsent-messagesproperties

my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want

copy 2015 SWITCH

bull

20

Page 55

References

Shibboleth wiki ConsentConfiguration

Shibboleth wiki RelyingPartyConfiguration

Google Guava Functions class Javadoc

copy 2015 SWITCH

bullbullbull

21

Appendix Disabling attributeconsent prompt for particular SPs

copy 2015 SWITCH 22

Page 56

Example confrelying-shypartyxmlBoth post-shyauthentication flows enabled for SAML2 SSO[only attribute-shyrelease]

ltbean id=shibbolethDefaultRelyingParty parent=RelyingPartygt ltproperty name=profileConfigurationsgt ltlistgt ltbean parent=ShibbolethSSO ppostAuthenticationFlows=attribute-release gt ltref bean=SAML1AttributeQuery gt ltref bean=SAML1ArtifactResolution gt ltbean parent=SAML2SSO ppostAuthenticationFlows=terms-of-useattribute-releasegt ltref bean=SAML2ECP gt ltref bean=SAML2Logout gt ltref bean=SAML2AttributeQuery gt ltref bean=SAML2ArtifactResolution gt ltlistgt ltpropertygtltbeangt

copy 2015 SWITCH 11

Attribute consent configurationConfigured by Java properties inconfidpproperties

Consent duration options

Ask me again if information changesAlways available to users

Ask me again at next loginidpconsentallowDoNotRemember = true[true]

Do not ask me againidpconsentallowGlobal = false [true]

copy 2015 SWITCH

bull

bull

bull

12

Page 51

Attribute consent configurationPer attribute behaviour

Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]

Ask again if attribute values changeidpconsentcompareValues = true [false]

copy 2015 SWITCH

bull

bull

13

Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml

White amp black lists

Which attribute to prompt for [all except black list]

White list [empty] When filled any attribute not mentioned in a list isreleased without asking

Black list [transientId persistentIdeduPersonTargetedID]

Pattern match [not defined] copy 2015 SWITCH

bull

bull

bull14

Page 52

Intercept flow configurationAttribute display order (coming in version 320)

Alphabetical order by default

Except attributes in white list show up first

Set pattern to ^$ to catch all other attributes

Fully customised order implementjavautilComparatorltStringgt

copy 2015 SWITCH

bullbullbullbull

15

Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties

Terms for each SP

Default mapping using the entityID

httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []

Other mapping configurable but the key is stillentityID (default value available)

copy 2015 SWITCH

bull

bull

16

Page 53

Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml

Provided bean mapping entityIDs to values [disabled]

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17

Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP

copy 2015 SWITCH 18

Page 54

Hands-shyon solution

Enable terms-of-use flow in confrelying-partyxml

Change key bean in confinterceptconsent-intercept-configxml to

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt

copy 2015 SWITCH

bull

bull

19

Hands-shyon solution

Add text in messagesconsent-messagesproperties

my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want

copy 2015 SWITCH

bull

20

Page 55

References

Shibboleth wiki ConsentConfiguration

Shibboleth wiki RelyingPartyConfiguration

Google Guava Functions class Javadoc

copy 2015 SWITCH

bullbullbull

21

Appendix Disabling attributeconsent prompt for particular SPs

copy 2015 SWITCH 22

Page 56

Attribute consent configurationPer attribute behaviour

Allow selection of attributes to release may breakapplications if required attributes are withheldidpconsentallowPerAttribute = false[false]

Ask again if attribute values changeidpconsentcompareValues = true [false]

copy 2015 SWITCH

bull

bull

13

Intercept flow configurationConfigured by Spring beans inconfinterceptconsent-intercept-configxml

White amp black lists

Which attribute to prompt for [all except black list]

White list [empty] When filled any attribute not mentioned in a list isreleased without asking

Black list [transientId persistentIdeduPersonTargetedID]

Pattern match [not defined] copy 2015 SWITCH

bull

bull

bull14

Page 52

Intercept flow configurationAttribute display order (coming in version 320)

Alphabetical order by default

Except attributes in white list show up first

Set pattern to ^$ to catch all other attributes

Fully customised order implementjavautilComparatorltStringgt

copy 2015 SWITCH

bullbullbullbull

15

Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties

Terms for each SP

Default mapping using the entityID

httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []

Other mapping configurable but the key is stillentityID (default value available)

copy 2015 SWITCH

bull

bull

16

Page 53

Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml

Provided bean mapping entityIDs to values [disabled]

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17

Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP

copy 2015 SWITCH 18

Page 54

Hands-shyon solution

Enable terms-of-use flow in confrelying-partyxml

Change key bean in confinterceptconsent-intercept-configxml to

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt

copy 2015 SWITCH

bull

bull

19

Hands-shyon solution

Add text in messagesconsent-messagesproperties

my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want

copy 2015 SWITCH

bull

20

Page 55

References

Shibboleth wiki ConsentConfiguration

Shibboleth wiki RelyingPartyConfiguration

Google Guava Functions class Javadoc

copy 2015 SWITCH

bullbullbull

21

Appendix Disabling attributeconsent prompt for particular SPs

copy 2015 SWITCH 22

Page 56

Intercept flow configurationAttribute display order (coming in version 320)

Alphabetical order by default

Except attributes in white list show up first

Set pattern to ^$ to catch all other attributes

Fully customised order implementjavautilComparatorltStringgt

copy 2015 SWITCH

bullbullbullbull

15

Terms of use consent configurationConfigured by Java properties in messagesconsent-messagesproperties

Terms for each SP

Default mapping using the entityID

httpsspexampleorg = example-tou-1example-tou-1title = Example Terms of Useexample-tou-1text = ltemgtThis is an example ToUltemgt []

Other mapping configurable but the key is stillentityID (default value available)

copy 2015 SWITCH

bull

bull

16

Page 53

Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml

Provided bean mapping entityIDs to values [disabled]

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17

Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP

copy 2015 SWITCH 18

Page 54

Hands-shyon solution

Enable terms-of-use flow in confrelying-partyxml

Change key bean in confinterceptconsent-intercept-configxml to

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt

copy 2015 SWITCH

bull

bull

19

Hands-shyon solution

Add text in messagesconsent-messagesproperties

my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want

copy 2015 SWITCH

bull

20

Page 55

References

Shibboleth wiki ConsentConfiguration

Shibboleth wiki RelyingPartyConfiguration

Google Guava Functions class Javadoc

copy 2015 SWITCH

bullbullbull

21

Appendix Disabling attributeconsent prompt for particular SPs

copy 2015 SWITCH 22

Page 56

Custom terms of use mappingConfigured by Spring beans inconfinterceptconsent-intercept-configxml

Provided bean mapping entityIDs to values [disabled]

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=composegt ltconstructor-arg name=ggt ltbean class=comgooglecommonbaseFunctions factory-method=forMap cdefaultValue=terms-of-usegt ltconstructor-arg name=mapgt ltmapgt ltentry key=httpsspexampleorgshibboleth value=example-terms gt ltmapgt ltconstructor-arggt ltbeangt ltconstructor-arggt ltconstructor-arg name=fgt ltref bean=shibbolethRelyingPartyIdLookupSimple gt ltconstructor-arggtltbeangt copy 2015 SWITCH 17

Hands-shyon use only one ToUWe want to always display the same terms of useregardless of the SP

copy 2015 SWITCH 18

Page 54

Hands-shyon solution

Enable terms-of-use flow in confrelying-partyxml

Change key bean in confinterceptconsent-intercept-configxml to

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt

copy 2015 SWITCH

bull

bull

19

Hands-shyon solution

Add text in messagesconsent-messagesproperties

my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want

copy 2015 SWITCH

bull

20

Page 55

References

Shibboleth wiki ConsentConfiguration

Shibboleth wiki RelyingPartyConfiguration

Google Guava Functions class Javadoc

copy 2015 SWITCH

bullbullbull

21

Appendix Disabling attributeconsent prompt for particular SPs

copy 2015 SWITCH 22

Page 56

Hands-shyon solution

Enable terms-of-use flow in confrelying-partyxml

Change key bean in confinterceptconsent-intercept-configxml to

ltbean id=shibbolethconsentterms-of-useKey class=comgooglecommonbaseFunctions factory-method=constantgt ltconstructor-arg value=my-terms gtltbeangt

copy 2015 SWITCH

bull

bull

19

Hands-shyon solution

Add text in messagesconsent-messagesproperties

my-terms = bogus-toubogus-toutitle = Bogus Terms of Usebogus-toutext = You can do anything you want

copy 2015 SWITCH

bull

20

Page 55

References

Shibboleth wiki ConsentConfiguration

Shibboleth wiki RelyingPartyConfiguration

Google Guava Functions class Javadoc

copy 2015 SWITCH

bullbullbull

21

Appendix Disabling attributeconsent prompt for particular SPs

copy 2015 SWITCH 22

Page 56

References

Shibboleth wiki ConsentConfiguration

Shibboleth wiki RelyingPartyConfiguration

Google Guava Functions class Javadoc

copy 2015 SWITCH

bullbullbull

21

Appendix Disabling attributeconsent prompt for particular SPs

copy 2015 SWITCH 22

Page 56

Disabling prompt for particular SPsRelying party overrides

Template beans in confrelying-partyxml tomatch SPs by

name entityID

group ltEntitiesDescriptorgt in metadata

tag ltEntityAttributesgt metadata extension

First match wins order in confrelying-partyxml is significant

copy 2015 SWITCH

bull

bullbullbull

bull

23

Disabling prompt for particular SPsEntity attributes in metadata

Entity categories

GEacuteANT Data Protection Code of Conduct (CoCo)

REFEDS Research amp Scholarship

New attributes available

swissEduPersonHomeOrganization

swissEduPersonHomeOrganizationType

copy 2015 SWITCH

bullbullbull

bullbullbull

24

Page 57

Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt

copy 2015 SWITCH 25

Example relying party overrideDisables flows for SPs belonging to a home organisation

ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt

copy 2015 SWITCH 26

Page 58

SWITCHaai Team aaiswitchch

Upgrades within Version 3

Its easy now

copy 2015 SWITCH

The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date

2

Page 59

copy 2015 SWITCH

Upgrading Procedure

bull  Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)

bull  Unpack it at any convenient location (it wont be needed afterwards) bull  Change into the newly created distribution directory bull  Run bininstallsh to to upgrade the current deployment in optshibboleth-idp

bull  Review any necessary changes (eg based on the information from SWITCH or from the release notes)

bull  Run optshibboleth-idpbinbuildsh to re-build the warfile bull  Restart Tomcat to activate the new version

Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice

3

copy 2015 SWITCH

Good to know bull  There are two distinct areas below optshibboleth-idp

bull  Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp

bull  Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp

bull  Never touch the the system directories system and webapp

bull  Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes

4

Page 60

copy 2015 SWITCH

References Documentation bull  Upgrading

httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull  Release Notes

httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes

5

Page 61

Updating the Home Organisation Description Changes in Resource Registry

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

What technically defines your Identity Provider in SWITCHaai or

eduGAIN

Its SAML2 Metadata

Page 62

copy 2015 SWITCH 3

copy 2015 SWITCH

Does metadata change when IdP is upgraded

Fortunatly not but revising metadata still might cause some

minor changes

Page 63

copy 2015 SWITCH

IdPv2 vs IdPv3 Metadata

 Endpoint URLs stay the same  Unlike upgrade vom IdPv1 to IdPv2  Therefore no metadataResource Registry change needed in theory

 However some changes still recommended 1  Review the Home Organisation Description 2  Change URL for Attribute Authority 3  Remove Unnecessary Endpoints

 To change metadata change Home Organisation description  Apply change in AAI Resource Registry httpsrraaiswitchch

5

copy 2015 SWITCH

Home Organisation Description

6

12 To review

3 To adapt

Page 64

copy 2015 SWITCH

1 Review the Home Organisation Description

In particular review and adapt if necessary  1 General Information

  Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)

 2 Descriptive Information  Add new IP ranges and Domain Hints

 5 Contacts  Please ensure only non-personal email addresses are listed Ideally also

add helpdesk phone numbers

 7 Attribute Release Settings  Default attribute release policies Consider to release all RampS attributes

7

copy 2015 SWITCH

2 Change URL for Attribute Authority

Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)

8

Page 65

copy 2015 SWITCH

2 Change URL for Attribute Authority

New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why  Easier configuration because  only one Apache VirtualHost  one domain name and one certificate  no X509 client authentication needed anymore

(SP still checks IdP webserver certificate agains IdPs metadata)  Attribute Queries are hardly used anymore

(but will become important again for support of edu-ID)

9

copy 2015 SWITCH

But how is the attribute query still secured without X509 client authentication by the Service

Provider SP signs attribute query request with

his private key the IdP checks signature with SPs public key in

metadata

Page 66

copy 2015 SWITCH

2 Change URL for Attribute Authority

What to adapt in Resource Registry then In 3 Technical Information change the URLs for  Attribute Service  Artifact Resolution Service

Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp

to httpsaai-loginexampleorgidp

11

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used

Candidates to remove  Single Sign On Service with

SAML2 HTTP POST SimpleSign binding  Artifact Resolution Service with SAML1 SOAP binding  Attribute Service with SAML1 SOAP binding

But only remove them after verifying they are not used 12

Page 67

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time

13

Page 68

SWITCHaai Team aaiswitchch

Clustering IdPs High Availability and Load Balancing

copy 2015 SWITCH

Goals bull  Operate the IdP on multiple servers to get high availability

andor load balancing bull  Load balancing is especially desirable for IdPs with a lot of user logins

and a high load ie for large organizations bull  A further usage is to avoid outages during maintenances A server

can be taken away without breaking the operation

bull  Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull  Users should not need to re-login if a server fails or is manually

removed from the cluster

2

Page 69

copy 2015 SWITCH

Support for clustering in IdPv3

bull  IdPv3 provides better support for clustering than IdPv2 bull  Especially user login sessions are stored on the client instead of on

the server in memory bull  Allows flexible configuration of various storage services (memory

server-side client-side)

bull  In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull  Full support for Attribute Query requires persistent storage of the

Persistent ID bull  Storing user consents per browser is not convenient for users

bull  Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering

3

copy 2015 SWITCH

Challenges

bull  The setup of the IdP and the whole environment is more complex than with a single-server IdP

bull  Special configuration of the IdP is required

bull  Load balancing requires special hardware or software

bull  IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism

4

Page 70

copy 2015 SWITCH 5 5

Example Environment

copy 2015 SWITCH 6

Example Environment

Page 71

copy 2015 SWITCH

Options bull  Full-featured setup

Load Balancing Hardware vs DNS Round Robin  Special load balancing hardware or software is highly recommended

bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored

bull Supports sticky sessions (required for short-lived conversation sessions)

  DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions

bull  Basic setup (ActiveStandby system)  Anycast IP address

bull Fast switching possible but more complicated setup

 Switching via DNS bull Switching takes some time (TTL) but setup is easy

7

copy 2015 SWITCH

Options bull  Data storage client-side vs server-side  Server-side database can store any data

bull But Might cause some performance penalty bull Centralizedclustered or replicated database required

  Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers

There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution

8

Page 72

copy 2015 SWITCH

Storage Entities bull  Conversation Session (Profile Request Session)

bull  Transient web flow at IdP eg SAML2 SSO Login sequence bull  Bound to a single node (session state stored in memory) bull  Requires session stickiness on load balancer (short-time only)

bull  IdP User Session bull  After a successful login at the IdP the IdP creates an associated user

session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)

bull  Floatable between nodes (stored on client)

bull  Persistent ID bull  Unique opaque identifier for a user per service provider bull  In a typical SWITCHaai deployment the Persistent ID is stored in a

database bull  Requires that all IdPs access a common storage to fully support

Attribute Queries 9

copy 2015 SWITCH

Storage Entities bull  User consent to attribute release and terms of use

bull  Requires persistent storage (client-side or server-side) bull  Requires server-side storage to allow the users to use multiple

browsersclients

bull  SAML artifacts bull  Requires a common storage The data must be available to all active

nodes to reliably support SAML 20 artifact bull  Seldom used in SWITCHaai

bull  Message replay cache bull  Can be stored per node in memory but then it is limited to a single

node (Still this is the default configuration) bull  For higher security requirements the message replay cache can be

managed in the central database or memcached might be used

10

Page 73

copy 2015 SWITCH

Storage Recommendations

Storage Entity Recommended Storage

Scope

Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node

11

Remarks bull  Common Database means some centralclustered database or a database replicated

between nodes bull  SAML artifacts

Irrelevant if SAML 20 artifacts not usedrequired at all bull  Alternatives for Message replay cache

Common Database or memcached (depending on security requirements)

copy 2015 SWITCH

IdP Configuration Storage bull  The storage service to use per storage entity is specified

in optshibboleth-idpconfidpproperties bull  IdP User Session idpsessionStorageService bull  User Consents idpconsentStorageService bull  SAML artifacts idpartifactStorageService bull  Message replay cache idpreplayCacheStorageService

bull  Exception Persistent ID bull  Configured in optshibboleth-idpconfglobalxml

(bean PersistentIdStore)

12

Page 74

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

Example metadata with attributesltEntityDescriptor entityID=httpsattribute-vieweraaiswitchchinterfederation-testshibboleth ltExtensionsgt ltmdattrEntityAttributesgt ltsamlAttribute Name=httpmacedirorgentity-categorygt ltsamlAttributeValuegt httpwwwgeantneturidataprotection-code-of-conductv1 ltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganization Name=urnoid216756125114gt ltsamlAttributeValuegtswitchchltsamlAttributeValuegt ltsamlAttributegt ltsamlAttribute FriendlyName=swissEduPersonHomeOrganizationType Name=urnoid216756125115gt ltsamlAttributeValuegtothersltsamlAttributeValuegt ltsamlAttributegt ltmdattrEntityAttributesgt ltExtensionsgt lt-- rest of metadata for entity --gtltEntityDescriptorgt

copy 2015 SWITCH 25

Example relying party overrideDisables flows for SPs belonging to a home organisation

ltutillist id=shibbolethRelyingPartyOverridesgt lt-- more beans --gt ltbean id=shibbolethNoUserConsentRelyingParty parent=RelyingPartyByTaggt ltconstructor-arg name=candidatesgt ltlistgt ltbean id=disableForSingleHomeOrganization parent=TagCandidate cname=urnoid216756125114 pvalues=exampleorg gt lt-- more beans --gt ltlistgt ltconstructor-arggt ltproperty name=profileConfigurationsgt ltlistgt ltref bean=ShibbolethSSO gt ltref bean=SAML2SSO gt lt-- other profiles --gt ltlistgt ltpropertygt ltbeangtltutillistgt

copy 2015 SWITCH 26

Page 58

SWITCHaai Team aaiswitchch

Upgrades within Version 3

Its easy now

copy 2015 SWITCH

The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date

2

Page 59

copy 2015 SWITCH

Upgrading Procedure

bull  Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)

bull  Unpack it at any convenient location (it wont be needed afterwards) bull  Change into the newly created distribution directory bull  Run bininstallsh to to upgrade the current deployment in optshibboleth-idp

bull  Review any necessary changes (eg based on the information from SWITCH or from the release notes)

bull  Run optshibboleth-idpbinbuildsh to re-build the warfile bull  Restart Tomcat to activate the new version

Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice

3

copy 2015 SWITCH

Good to know bull  There are two distinct areas below optshibboleth-idp

bull  Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp

bull  Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp

bull  Never touch the the system directories system and webapp

bull  Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes

4

Page 60

copy 2015 SWITCH

References Documentation bull  Upgrading

httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull  Release Notes

httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes

5

Page 61

Updating the Home Organisation Description Changes in Resource Registry

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

What technically defines your Identity Provider in SWITCHaai or

eduGAIN

Its SAML2 Metadata

Page 62

copy 2015 SWITCH 3

copy 2015 SWITCH

Does metadata change when IdP is upgraded

Fortunatly not but revising metadata still might cause some

minor changes

Page 63

copy 2015 SWITCH

IdPv2 vs IdPv3 Metadata

 Endpoint URLs stay the same  Unlike upgrade vom IdPv1 to IdPv2  Therefore no metadataResource Registry change needed in theory

 However some changes still recommended 1  Review the Home Organisation Description 2  Change URL for Attribute Authority 3  Remove Unnecessary Endpoints

 To change metadata change Home Organisation description  Apply change in AAI Resource Registry httpsrraaiswitchch

5

copy 2015 SWITCH

Home Organisation Description

6

12 To review

3 To adapt

Page 64

copy 2015 SWITCH

1 Review the Home Organisation Description

In particular review and adapt if necessary  1 General Information

  Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)

 2 Descriptive Information  Add new IP ranges and Domain Hints

 5 Contacts  Please ensure only non-personal email addresses are listed Ideally also

add helpdesk phone numbers

 7 Attribute Release Settings  Default attribute release policies Consider to release all RampS attributes

7

copy 2015 SWITCH

2 Change URL for Attribute Authority

Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)

8

Page 65

copy 2015 SWITCH

2 Change URL for Attribute Authority

New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why  Easier configuration because  only one Apache VirtualHost  one domain name and one certificate  no X509 client authentication needed anymore

(SP still checks IdP webserver certificate agains IdPs metadata)  Attribute Queries are hardly used anymore

(but will become important again for support of edu-ID)

9

copy 2015 SWITCH

But how is the attribute query still secured without X509 client authentication by the Service

Provider SP signs attribute query request with

his private key the IdP checks signature with SPs public key in

metadata

Page 66

copy 2015 SWITCH

2 Change URL for Attribute Authority

What to adapt in Resource Registry then In 3 Technical Information change the URLs for  Attribute Service  Artifact Resolution Service

Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp

to httpsaai-loginexampleorgidp

11

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used

Candidates to remove  Single Sign On Service with

SAML2 HTTP POST SimpleSign binding  Artifact Resolution Service with SAML1 SOAP binding  Attribute Service with SAML1 SOAP binding

But only remove them after verifying they are not used 12

Page 67

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time

13

Page 68

SWITCHaai Team aaiswitchch

Clustering IdPs High Availability and Load Balancing

copy 2015 SWITCH

Goals bull  Operate the IdP on multiple servers to get high availability

andor load balancing bull  Load balancing is especially desirable for IdPs with a lot of user logins

and a high load ie for large organizations bull  A further usage is to avoid outages during maintenances A server

can be taken away without breaking the operation

bull  Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull  Users should not need to re-login if a server fails or is manually

removed from the cluster

2

Page 69

copy 2015 SWITCH

Support for clustering in IdPv3

bull  IdPv3 provides better support for clustering than IdPv2 bull  Especially user login sessions are stored on the client instead of on

the server in memory bull  Allows flexible configuration of various storage services (memory

server-side client-side)

bull  In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull  Full support for Attribute Query requires persistent storage of the

Persistent ID bull  Storing user consents per browser is not convenient for users

bull  Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering

3

copy 2015 SWITCH

Challenges

bull  The setup of the IdP and the whole environment is more complex than with a single-server IdP

bull  Special configuration of the IdP is required

bull  Load balancing requires special hardware or software

bull  IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism

4

Page 70

copy 2015 SWITCH 5 5

Example Environment

copy 2015 SWITCH 6

Example Environment

Page 71

copy 2015 SWITCH

Options bull  Full-featured setup

Load Balancing Hardware vs DNS Round Robin  Special load balancing hardware or software is highly recommended

bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored

bull Supports sticky sessions (required for short-lived conversation sessions)

  DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions

bull  Basic setup (ActiveStandby system)  Anycast IP address

bull Fast switching possible but more complicated setup

 Switching via DNS bull Switching takes some time (TTL) but setup is easy

7

copy 2015 SWITCH

Options bull  Data storage client-side vs server-side  Server-side database can store any data

bull But Might cause some performance penalty bull Centralizedclustered or replicated database required

  Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers

There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution

8

Page 72

copy 2015 SWITCH

Storage Entities bull  Conversation Session (Profile Request Session)

bull  Transient web flow at IdP eg SAML2 SSO Login sequence bull  Bound to a single node (session state stored in memory) bull  Requires session stickiness on load balancer (short-time only)

bull  IdP User Session bull  After a successful login at the IdP the IdP creates an associated user

session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)

bull  Floatable between nodes (stored on client)

bull  Persistent ID bull  Unique opaque identifier for a user per service provider bull  In a typical SWITCHaai deployment the Persistent ID is stored in a

database bull  Requires that all IdPs access a common storage to fully support

Attribute Queries 9

copy 2015 SWITCH

Storage Entities bull  User consent to attribute release and terms of use

bull  Requires persistent storage (client-side or server-side) bull  Requires server-side storage to allow the users to use multiple

browsersclients

bull  SAML artifacts bull  Requires a common storage The data must be available to all active

nodes to reliably support SAML 20 artifact bull  Seldom used in SWITCHaai

bull  Message replay cache bull  Can be stored per node in memory but then it is limited to a single

node (Still this is the default configuration) bull  For higher security requirements the message replay cache can be

managed in the central database or memcached might be used

10

Page 73

copy 2015 SWITCH

Storage Recommendations

Storage Entity Recommended Storage

Scope

Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node

11

Remarks bull  Common Database means some centralclustered database or a database replicated

between nodes bull  SAML artifacts

Irrelevant if SAML 20 artifacts not usedrequired at all bull  Alternatives for Message replay cache

Common Database or memcached (depending on security requirements)

copy 2015 SWITCH

IdP Configuration Storage bull  The storage service to use per storage entity is specified

in optshibboleth-idpconfidpproperties bull  IdP User Session idpsessionStorageService bull  User Consents idpconsentStorageService bull  SAML artifacts idpartifactStorageService bull  Message replay cache idpreplayCacheStorageService

bull  Exception Persistent ID bull  Configured in optshibboleth-idpconfglobalxml

(bean PersistentIdStore)

12

Page 74

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

SWITCHaai Team aaiswitchch

Upgrades within Version 3

Its easy now

copy 2015 SWITCH

The IdPv3 makes upgrading easy The upgrade process is designed to be very safe and will never overwrite any configuration files viewstemplates properties etc that you have modified Keep your IdP up to date

2

Page 59

copy 2015 SWITCH

Upgrading Procedure

bull  Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)

bull  Unpack it at any convenient location (it wont be needed afterwards) bull  Change into the newly created distribution directory bull  Run bininstallsh to to upgrade the current deployment in optshibboleth-idp

bull  Review any necessary changes (eg based on the information from SWITCH or from the release notes)

bull  Run optshibboleth-idpbinbuildsh to re-build the warfile bull  Restart Tomcat to activate the new version

Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice

3

copy 2015 SWITCH

Good to know bull  There are two distinct areas below optshibboleth-idp

bull  Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp

bull  Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp

bull  Never touch the the system directories system and webapp

bull  Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes

4

Page 60

copy 2015 SWITCH

References Documentation bull  Upgrading

httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull  Release Notes

httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes

5

Page 61

Updating the Home Organisation Description Changes in Resource Registry

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

What technically defines your Identity Provider in SWITCHaai or

eduGAIN

Its SAML2 Metadata

Page 62

copy 2015 SWITCH 3

copy 2015 SWITCH

Does metadata change when IdP is upgraded

Fortunatly not but revising metadata still might cause some

minor changes

Page 63

copy 2015 SWITCH

IdPv2 vs IdPv3 Metadata

 Endpoint URLs stay the same  Unlike upgrade vom IdPv1 to IdPv2  Therefore no metadataResource Registry change needed in theory

 However some changes still recommended 1  Review the Home Organisation Description 2  Change URL for Attribute Authority 3  Remove Unnecessary Endpoints

 To change metadata change Home Organisation description  Apply change in AAI Resource Registry httpsrraaiswitchch

5

copy 2015 SWITCH

Home Organisation Description

6

12 To review

3 To adapt

Page 64

copy 2015 SWITCH

1 Review the Home Organisation Description

In particular review and adapt if necessary  1 General Information

  Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)

 2 Descriptive Information  Add new IP ranges and Domain Hints

 5 Contacts  Please ensure only non-personal email addresses are listed Ideally also

add helpdesk phone numbers

 7 Attribute Release Settings  Default attribute release policies Consider to release all RampS attributes

7

copy 2015 SWITCH

2 Change URL for Attribute Authority

Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)

8

Page 65

copy 2015 SWITCH

2 Change URL for Attribute Authority

New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why  Easier configuration because  only one Apache VirtualHost  one domain name and one certificate  no X509 client authentication needed anymore

(SP still checks IdP webserver certificate agains IdPs metadata)  Attribute Queries are hardly used anymore

(but will become important again for support of edu-ID)

9

copy 2015 SWITCH

But how is the attribute query still secured without X509 client authentication by the Service

Provider SP signs attribute query request with

his private key the IdP checks signature with SPs public key in

metadata

Page 66

copy 2015 SWITCH

2 Change URL for Attribute Authority

What to adapt in Resource Registry then In 3 Technical Information change the URLs for  Attribute Service  Artifact Resolution Service

Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp

to httpsaai-loginexampleorgidp

11

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used

Candidates to remove  Single Sign On Service with

SAML2 HTTP POST SimpleSign binding  Artifact Resolution Service with SAML1 SOAP binding  Attribute Service with SAML1 SOAP binding

But only remove them after verifying they are not used 12

Page 67

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time

13

Page 68

SWITCHaai Team aaiswitchch

Clustering IdPs High Availability and Load Balancing

copy 2015 SWITCH

Goals bull  Operate the IdP on multiple servers to get high availability

andor load balancing bull  Load balancing is especially desirable for IdPs with a lot of user logins

and a high load ie for large organizations bull  A further usage is to avoid outages during maintenances A server

can be taken away without breaking the operation

bull  Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull  Users should not need to re-login if a server fails or is manually

removed from the cluster

2

Page 69

copy 2015 SWITCH

Support for clustering in IdPv3

bull  IdPv3 provides better support for clustering than IdPv2 bull  Especially user login sessions are stored on the client instead of on

the server in memory bull  Allows flexible configuration of various storage services (memory

server-side client-side)

bull  In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull  Full support for Attribute Query requires persistent storage of the

Persistent ID bull  Storing user consents per browser is not convenient for users

bull  Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering

3

copy 2015 SWITCH

Challenges

bull  The setup of the IdP and the whole environment is more complex than with a single-server IdP

bull  Special configuration of the IdP is required

bull  Load balancing requires special hardware or software

bull  IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism

4

Page 70

copy 2015 SWITCH 5 5

Example Environment

copy 2015 SWITCH 6

Example Environment

Page 71

copy 2015 SWITCH

Options bull  Full-featured setup

Load Balancing Hardware vs DNS Round Robin  Special load balancing hardware or software is highly recommended

bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored

bull Supports sticky sessions (required for short-lived conversation sessions)

  DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions

bull  Basic setup (ActiveStandby system)  Anycast IP address

bull Fast switching possible but more complicated setup

 Switching via DNS bull Switching takes some time (TTL) but setup is easy

7

copy 2015 SWITCH

Options bull  Data storage client-side vs server-side  Server-side database can store any data

bull But Might cause some performance penalty bull Centralizedclustered or replicated database required

  Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers

There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution

8

Page 72

copy 2015 SWITCH

Storage Entities bull  Conversation Session (Profile Request Session)

bull  Transient web flow at IdP eg SAML2 SSO Login sequence bull  Bound to a single node (session state stored in memory) bull  Requires session stickiness on load balancer (short-time only)

bull  IdP User Session bull  After a successful login at the IdP the IdP creates an associated user

session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)

bull  Floatable between nodes (stored on client)

bull  Persistent ID bull  Unique opaque identifier for a user per service provider bull  In a typical SWITCHaai deployment the Persistent ID is stored in a

database bull  Requires that all IdPs access a common storage to fully support

Attribute Queries 9

copy 2015 SWITCH

Storage Entities bull  User consent to attribute release and terms of use

bull  Requires persistent storage (client-side or server-side) bull  Requires server-side storage to allow the users to use multiple

browsersclients

bull  SAML artifacts bull  Requires a common storage The data must be available to all active

nodes to reliably support SAML 20 artifact bull  Seldom used in SWITCHaai

bull  Message replay cache bull  Can be stored per node in memory but then it is limited to a single

node (Still this is the default configuration) bull  For higher security requirements the message replay cache can be

managed in the central database or memcached might be used

10

Page 73

copy 2015 SWITCH

Storage Recommendations

Storage Entity Recommended Storage

Scope

Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node

11

Remarks bull  Common Database means some centralclustered database or a database replicated

between nodes bull  SAML artifacts

Irrelevant if SAML 20 artifacts not usedrequired at all bull  Alternatives for Message replay cache

Common Database or memcached (depending on security requirements)

copy 2015 SWITCH

IdP Configuration Storage bull  The storage service to use per storage entity is specified

in optshibboleth-idpconfidpproperties bull  IdP User Session idpsessionStorageService bull  User Consents idpconsentStorageService bull  SAML artifacts idpartifactStorageService bull  Message replay cache idpreplayCacheStorageService

bull  Exception Persistent ID bull  Configured in optshibboleth-idpconfglobalxml

(bean PersistentIdStore)

12

Page 74

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

Upgrading Procedure

bull  Download the latest Identity Provider software package httpsshibbolethnetdownloadsidentity-providerlatest (targz package recommended for Linux)

bull  Unpack it at any convenient location (it wont be needed afterwards) bull  Change into the newly created distribution directory bull  Run bininstallsh to to upgrade the current deployment in optshibboleth-idp

bull  Review any necessary changes (eg based on the information from SWITCH or from the release notes)

bull  Run optshibboleth-idpbinbuildsh to re-build the warfile bull  Restart Tomcat to activate the new version

Ubuntu sudo service tomcat7 restart Red HatCentOS sudo systemctl restart tomcatservice

3

copy 2015 SWITCH

Good to know bull  There are two distinct areas below optshibboleth-idp

bull  Unmanaged directories Directories managed by you (not touched by upgrades) eg conf views edit-webapp

bull  Managed directories System directories managed by the IdP software (updated during upgrades) eg system webapp

bull  Never touch the the system directories system and webapp

bull  Upgrades may introduce new features that require adaptations to the configuration to make use of these new features But the existing configuration should still work without these changes

4

Page 60

copy 2015 SWITCH

References Documentation bull  Upgrading

httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull  Release Notes

httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes

5

Page 61

Updating the Home Organisation Description Changes in Resource Registry

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

What technically defines your Identity Provider in SWITCHaai or

eduGAIN

Its SAML2 Metadata

Page 62

copy 2015 SWITCH 3

copy 2015 SWITCH

Does metadata change when IdP is upgraded

Fortunatly not but revising metadata still might cause some

minor changes

Page 63

copy 2015 SWITCH

IdPv2 vs IdPv3 Metadata

 Endpoint URLs stay the same  Unlike upgrade vom IdPv1 to IdPv2  Therefore no metadataResource Registry change needed in theory

 However some changes still recommended 1  Review the Home Organisation Description 2  Change URL for Attribute Authority 3  Remove Unnecessary Endpoints

 To change metadata change Home Organisation description  Apply change in AAI Resource Registry httpsrraaiswitchch

5

copy 2015 SWITCH

Home Organisation Description

6

12 To review

3 To adapt

Page 64

copy 2015 SWITCH

1 Review the Home Organisation Description

In particular review and adapt if necessary  1 General Information

  Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)

 2 Descriptive Information  Add new IP ranges and Domain Hints

 5 Contacts  Please ensure only non-personal email addresses are listed Ideally also

add helpdesk phone numbers

 7 Attribute Release Settings  Default attribute release policies Consider to release all RampS attributes

7

copy 2015 SWITCH

2 Change URL for Attribute Authority

Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)

8

Page 65

copy 2015 SWITCH

2 Change URL for Attribute Authority

New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why  Easier configuration because  only one Apache VirtualHost  one domain name and one certificate  no X509 client authentication needed anymore

(SP still checks IdP webserver certificate agains IdPs metadata)  Attribute Queries are hardly used anymore

(but will become important again for support of edu-ID)

9

copy 2015 SWITCH

But how is the attribute query still secured without X509 client authentication by the Service

Provider SP signs attribute query request with

his private key the IdP checks signature with SPs public key in

metadata

Page 66

copy 2015 SWITCH

2 Change URL for Attribute Authority

What to adapt in Resource Registry then In 3 Technical Information change the URLs for  Attribute Service  Artifact Resolution Service

Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp

to httpsaai-loginexampleorgidp

11

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used

Candidates to remove  Single Sign On Service with

SAML2 HTTP POST SimpleSign binding  Artifact Resolution Service with SAML1 SOAP binding  Attribute Service with SAML1 SOAP binding

But only remove them after verifying they are not used 12

Page 67

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time

13

Page 68

SWITCHaai Team aaiswitchch

Clustering IdPs High Availability and Load Balancing

copy 2015 SWITCH

Goals bull  Operate the IdP on multiple servers to get high availability

andor load balancing bull  Load balancing is especially desirable for IdPs with a lot of user logins

and a high load ie for large organizations bull  A further usage is to avoid outages during maintenances A server

can be taken away without breaking the operation

bull  Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull  Users should not need to re-login if a server fails or is manually

removed from the cluster

2

Page 69

copy 2015 SWITCH

Support for clustering in IdPv3

bull  IdPv3 provides better support for clustering than IdPv2 bull  Especially user login sessions are stored on the client instead of on

the server in memory bull  Allows flexible configuration of various storage services (memory

server-side client-side)

bull  In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull  Full support for Attribute Query requires persistent storage of the

Persistent ID bull  Storing user consents per browser is not convenient for users

bull  Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering

3

copy 2015 SWITCH

Challenges

bull  The setup of the IdP and the whole environment is more complex than with a single-server IdP

bull  Special configuration of the IdP is required

bull  Load balancing requires special hardware or software

bull  IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism

4

Page 70

copy 2015 SWITCH 5 5

Example Environment

copy 2015 SWITCH 6

Example Environment

Page 71

copy 2015 SWITCH

Options bull  Full-featured setup

Load Balancing Hardware vs DNS Round Robin  Special load balancing hardware or software is highly recommended

bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored

bull Supports sticky sessions (required for short-lived conversation sessions)

  DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions

bull  Basic setup (ActiveStandby system)  Anycast IP address

bull Fast switching possible but more complicated setup

 Switching via DNS bull Switching takes some time (TTL) but setup is easy

7

copy 2015 SWITCH

Options bull  Data storage client-side vs server-side  Server-side database can store any data

bull But Might cause some performance penalty bull Centralizedclustered or replicated database required

  Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers

There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution

8

Page 72

copy 2015 SWITCH

Storage Entities bull  Conversation Session (Profile Request Session)

bull  Transient web flow at IdP eg SAML2 SSO Login sequence bull  Bound to a single node (session state stored in memory) bull  Requires session stickiness on load balancer (short-time only)

bull  IdP User Session bull  After a successful login at the IdP the IdP creates an associated user

session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)

bull  Floatable between nodes (stored on client)

bull  Persistent ID bull  Unique opaque identifier for a user per service provider bull  In a typical SWITCHaai deployment the Persistent ID is stored in a

database bull  Requires that all IdPs access a common storage to fully support

Attribute Queries 9

copy 2015 SWITCH

Storage Entities bull  User consent to attribute release and terms of use

bull  Requires persistent storage (client-side or server-side) bull  Requires server-side storage to allow the users to use multiple

browsersclients

bull  SAML artifacts bull  Requires a common storage The data must be available to all active

nodes to reliably support SAML 20 artifact bull  Seldom used in SWITCHaai

bull  Message replay cache bull  Can be stored per node in memory but then it is limited to a single

node (Still this is the default configuration) bull  For higher security requirements the message replay cache can be

managed in the central database or memcached might be used

10

Page 73

copy 2015 SWITCH

Storage Recommendations

Storage Entity Recommended Storage

Scope

Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node

11

Remarks bull  Common Database means some centralclustered database or a database replicated

between nodes bull  SAML artifacts

Irrelevant if SAML 20 artifacts not usedrequired at all bull  Alternatives for Message replay cache

Common Database or memcached (depending on security requirements)

copy 2015 SWITCH

IdP Configuration Storage bull  The storage service to use per storage entity is specified

in optshibboleth-idpconfidpproperties bull  IdP User Session idpsessionStorageService bull  User Consents idpconsentStorageService bull  SAML artifacts idpartifactStorageService bull  Message replay cache idpreplayCacheStorageService

bull  Exception Persistent ID bull  Configured in optshibboleth-idpconfglobalxml

(bean PersistentIdStore)

12

Page 74

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

References Documentation bull  Upgrading

httpswikishibbolethnetconfluencedisplayIDP30Upgrading bull  Release Notes

httpswikishibbolethnetconfluencedisplayIDP30ReleaseNotes

5

Page 61

Updating the Home Organisation Description Changes in Resource Registry

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

What technically defines your Identity Provider in SWITCHaai or

eduGAIN

Its SAML2 Metadata

Page 62

copy 2015 SWITCH 3

copy 2015 SWITCH

Does metadata change when IdP is upgraded

Fortunatly not but revising metadata still might cause some

minor changes

Page 63

copy 2015 SWITCH

IdPv2 vs IdPv3 Metadata

 Endpoint URLs stay the same  Unlike upgrade vom IdPv1 to IdPv2  Therefore no metadataResource Registry change needed in theory

 However some changes still recommended 1  Review the Home Organisation Description 2  Change URL for Attribute Authority 3  Remove Unnecessary Endpoints

 To change metadata change Home Organisation description  Apply change in AAI Resource Registry httpsrraaiswitchch

5

copy 2015 SWITCH

Home Organisation Description

6

12 To review

3 To adapt

Page 64

copy 2015 SWITCH

1 Review the Home Organisation Description

In particular review and adapt if necessary  1 General Information

  Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)

 2 Descriptive Information  Add new IP ranges and Domain Hints

 5 Contacts  Please ensure only non-personal email addresses are listed Ideally also

add helpdesk phone numbers

 7 Attribute Release Settings  Default attribute release policies Consider to release all RampS attributes

7

copy 2015 SWITCH

2 Change URL for Attribute Authority

Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)

8

Page 65

copy 2015 SWITCH

2 Change URL for Attribute Authority

New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why  Easier configuration because  only one Apache VirtualHost  one domain name and one certificate  no X509 client authentication needed anymore

(SP still checks IdP webserver certificate agains IdPs metadata)  Attribute Queries are hardly used anymore

(but will become important again for support of edu-ID)

9

copy 2015 SWITCH

But how is the attribute query still secured without X509 client authentication by the Service

Provider SP signs attribute query request with

his private key the IdP checks signature with SPs public key in

metadata

Page 66

copy 2015 SWITCH

2 Change URL for Attribute Authority

What to adapt in Resource Registry then In 3 Technical Information change the URLs for  Attribute Service  Artifact Resolution Service

Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp

to httpsaai-loginexampleorgidp

11

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used

Candidates to remove  Single Sign On Service with

SAML2 HTTP POST SimpleSign binding  Artifact Resolution Service with SAML1 SOAP binding  Attribute Service with SAML1 SOAP binding

But only remove them after verifying they are not used 12

Page 67

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time

13

Page 68

SWITCHaai Team aaiswitchch

Clustering IdPs High Availability and Load Balancing

copy 2015 SWITCH

Goals bull  Operate the IdP on multiple servers to get high availability

andor load balancing bull  Load balancing is especially desirable for IdPs with a lot of user logins

and a high load ie for large organizations bull  A further usage is to avoid outages during maintenances A server

can be taken away without breaking the operation

bull  Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull  Users should not need to re-login if a server fails or is manually

removed from the cluster

2

Page 69

copy 2015 SWITCH

Support for clustering in IdPv3

bull  IdPv3 provides better support for clustering than IdPv2 bull  Especially user login sessions are stored on the client instead of on

the server in memory bull  Allows flexible configuration of various storage services (memory

server-side client-side)

bull  In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull  Full support for Attribute Query requires persistent storage of the

Persistent ID bull  Storing user consents per browser is not convenient for users

bull  Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering

3

copy 2015 SWITCH

Challenges

bull  The setup of the IdP and the whole environment is more complex than with a single-server IdP

bull  Special configuration of the IdP is required

bull  Load balancing requires special hardware or software

bull  IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism

4

Page 70

copy 2015 SWITCH 5 5

Example Environment

copy 2015 SWITCH 6

Example Environment

Page 71

copy 2015 SWITCH

Options bull  Full-featured setup

Load Balancing Hardware vs DNS Round Robin  Special load balancing hardware or software is highly recommended

bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored

bull Supports sticky sessions (required for short-lived conversation sessions)

  DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions

bull  Basic setup (ActiveStandby system)  Anycast IP address

bull Fast switching possible but more complicated setup

 Switching via DNS bull Switching takes some time (TTL) but setup is easy

7

copy 2015 SWITCH

Options bull  Data storage client-side vs server-side  Server-side database can store any data

bull But Might cause some performance penalty bull Centralizedclustered or replicated database required

  Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers

There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution

8

Page 72

copy 2015 SWITCH

Storage Entities bull  Conversation Session (Profile Request Session)

bull  Transient web flow at IdP eg SAML2 SSO Login sequence bull  Bound to a single node (session state stored in memory) bull  Requires session stickiness on load balancer (short-time only)

bull  IdP User Session bull  After a successful login at the IdP the IdP creates an associated user

session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)

bull  Floatable between nodes (stored on client)

bull  Persistent ID bull  Unique opaque identifier for a user per service provider bull  In a typical SWITCHaai deployment the Persistent ID is stored in a

database bull  Requires that all IdPs access a common storage to fully support

Attribute Queries 9

copy 2015 SWITCH

Storage Entities bull  User consent to attribute release and terms of use

bull  Requires persistent storage (client-side or server-side) bull  Requires server-side storage to allow the users to use multiple

browsersclients

bull  SAML artifacts bull  Requires a common storage The data must be available to all active

nodes to reliably support SAML 20 artifact bull  Seldom used in SWITCHaai

bull  Message replay cache bull  Can be stored per node in memory but then it is limited to a single

node (Still this is the default configuration) bull  For higher security requirements the message replay cache can be

managed in the central database or memcached might be used

10

Page 73

copy 2015 SWITCH

Storage Recommendations

Storage Entity Recommended Storage

Scope

Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node

11

Remarks bull  Common Database means some centralclustered database or a database replicated

between nodes bull  SAML artifacts

Irrelevant if SAML 20 artifacts not usedrequired at all bull  Alternatives for Message replay cache

Common Database or memcached (depending on security requirements)

copy 2015 SWITCH

IdP Configuration Storage bull  The storage service to use per storage entity is specified

in optshibboleth-idpconfidpproperties bull  IdP User Session idpsessionStorageService bull  User Consents idpconsentStorageService bull  SAML artifacts idpartifactStorageService bull  Message replay cache idpreplayCacheStorageService

bull  Exception Persistent ID bull  Configured in optshibboleth-idpconfglobalxml

(bean PersistentIdStore)

12

Page 74

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

Updating the Home Organisation Description Changes in Resource Registry

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

What technically defines your Identity Provider in SWITCHaai or

eduGAIN

Its SAML2 Metadata

Page 62

copy 2015 SWITCH 3

copy 2015 SWITCH

Does metadata change when IdP is upgraded

Fortunatly not but revising metadata still might cause some

minor changes

Page 63

copy 2015 SWITCH

IdPv2 vs IdPv3 Metadata

 Endpoint URLs stay the same  Unlike upgrade vom IdPv1 to IdPv2  Therefore no metadataResource Registry change needed in theory

 However some changes still recommended 1  Review the Home Organisation Description 2  Change URL for Attribute Authority 3  Remove Unnecessary Endpoints

 To change metadata change Home Organisation description  Apply change in AAI Resource Registry httpsrraaiswitchch

5

copy 2015 SWITCH

Home Organisation Description

6

12 To review

3 To adapt

Page 64

copy 2015 SWITCH

1 Review the Home Organisation Description

In particular review and adapt if necessary  1 General Information

  Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)

 2 Descriptive Information  Add new IP ranges and Domain Hints

 5 Contacts  Please ensure only non-personal email addresses are listed Ideally also

add helpdesk phone numbers

 7 Attribute Release Settings  Default attribute release policies Consider to release all RampS attributes

7

copy 2015 SWITCH

2 Change URL for Attribute Authority

Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)

8

Page 65

copy 2015 SWITCH

2 Change URL for Attribute Authority

New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why  Easier configuration because  only one Apache VirtualHost  one domain name and one certificate  no X509 client authentication needed anymore

(SP still checks IdP webserver certificate agains IdPs metadata)  Attribute Queries are hardly used anymore

(but will become important again for support of edu-ID)

9

copy 2015 SWITCH

But how is the attribute query still secured without X509 client authentication by the Service

Provider SP signs attribute query request with

his private key the IdP checks signature with SPs public key in

metadata

Page 66

copy 2015 SWITCH

2 Change URL for Attribute Authority

What to adapt in Resource Registry then In 3 Technical Information change the URLs for  Attribute Service  Artifact Resolution Service

Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp

to httpsaai-loginexampleorgidp

11

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used

Candidates to remove  Single Sign On Service with

SAML2 HTTP POST SimpleSign binding  Artifact Resolution Service with SAML1 SOAP binding  Attribute Service with SAML1 SOAP binding

But only remove them after verifying they are not used 12

Page 67

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time

13

Page 68

SWITCHaai Team aaiswitchch

Clustering IdPs High Availability and Load Balancing

copy 2015 SWITCH

Goals bull  Operate the IdP on multiple servers to get high availability

andor load balancing bull  Load balancing is especially desirable for IdPs with a lot of user logins

and a high load ie for large organizations bull  A further usage is to avoid outages during maintenances A server

can be taken away without breaking the operation

bull  Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull  Users should not need to re-login if a server fails or is manually

removed from the cluster

2

Page 69

copy 2015 SWITCH

Support for clustering in IdPv3

bull  IdPv3 provides better support for clustering than IdPv2 bull  Especially user login sessions are stored on the client instead of on

the server in memory bull  Allows flexible configuration of various storage services (memory

server-side client-side)

bull  In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull  Full support for Attribute Query requires persistent storage of the

Persistent ID bull  Storing user consents per browser is not convenient for users

bull  Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering

3

copy 2015 SWITCH

Challenges

bull  The setup of the IdP and the whole environment is more complex than with a single-server IdP

bull  Special configuration of the IdP is required

bull  Load balancing requires special hardware or software

bull  IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism

4

Page 70

copy 2015 SWITCH 5 5

Example Environment

copy 2015 SWITCH 6

Example Environment

Page 71

copy 2015 SWITCH

Options bull  Full-featured setup

Load Balancing Hardware vs DNS Round Robin  Special load balancing hardware or software is highly recommended

bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored

bull Supports sticky sessions (required for short-lived conversation sessions)

  DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions

bull  Basic setup (ActiveStandby system)  Anycast IP address

bull Fast switching possible but more complicated setup

 Switching via DNS bull Switching takes some time (TTL) but setup is easy

7

copy 2015 SWITCH

Options bull  Data storage client-side vs server-side  Server-side database can store any data

bull But Might cause some performance penalty bull Centralizedclustered or replicated database required

  Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers

There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution

8

Page 72

copy 2015 SWITCH

Storage Entities bull  Conversation Session (Profile Request Session)

bull  Transient web flow at IdP eg SAML2 SSO Login sequence bull  Bound to a single node (session state stored in memory) bull  Requires session stickiness on load balancer (short-time only)

bull  IdP User Session bull  After a successful login at the IdP the IdP creates an associated user

session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)

bull  Floatable between nodes (stored on client)

bull  Persistent ID bull  Unique opaque identifier for a user per service provider bull  In a typical SWITCHaai deployment the Persistent ID is stored in a

database bull  Requires that all IdPs access a common storage to fully support

Attribute Queries 9

copy 2015 SWITCH

Storage Entities bull  User consent to attribute release and terms of use

bull  Requires persistent storage (client-side or server-side) bull  Requires server-side storage to allow the users to use multiple

browsersclients

bull  SAML artifacts bull  Requires a common storage The data must be available to all active

nodes to reliably support SAML 20 artifact bull  Seldom used in SWITCHaai

bull  Message replay cache bull  Can be stored per node in memory but then it is limited to a single

node (Still this is the default configuration) bull  For higher security requirements the message replay cache can be

managed in the central database or memcached might be used

10

Page 73

copy 2015 SWITCH

Storage Recommendations

Storage Entity Recommended Storage

Scope

Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node

11

Remarks bull  Common Database means some centralclustered database or a database replicated

between nodes bull  SAML artifacts

Irrelevant if SAML 20 artifacts not usedrequired at all bull  Alternatives for Message replay cache

Common Database or memcached (depending on security requirements)

copy 2015 SWITCH

IdP Configuration Storage bull  The storage service to use per storage entity is specified

in optshibboleth-idpconfidpproperties bull  IdP User Session idpsessionStorageService bull  User Consents idpconsentStorageService bull  SAML artifacts idpartifactStorageService bull  Message replay cache idpreplayCacheStorageService

bull  Exception Persistent ID bull  Configured in optshibboleth-idpconfglobalxml

(bean PersistentIdStore)

12

Page 74

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH 3

copy 2015 SWITCH

Does metadata change when IdP is upgraded

Fortunatly not but revising metadata still might cause some

minor changes

Page 63

copy 2015 SWITCH

IdPv2 vs IdPv3 Metadata

 Endpoint URLs stay the same  Unlike upgrade vom IdPv1 to IdPv2  Therefore no metadataResource Registry change needed in theory

 However some changes still recommended 1  Review the Home Organisation Description 2  Change URL for Attribute Authority 3  Remove Unnecessary Endpoints

 To change metadata change Home Organisation description  Apply change in AAI Resource Registry httpsrraaiswitchch

5

copy 2015 SWITCH

Home Organisation Description

6

12 To review

3 To adapt

Page 64

copy 2015 SWITCH

1 Review the Home Organisation Description

In particular review and adapt if necessary  1 General Information

  Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)

 2 Descriptive Information  Add new IP ranges and Domain Hints

 5 Contacts  Please ensure only non-personal email addresses are listed Ideally also

add helpdesk phone numbers

 7 Attribute Release Settings  Default attribute release policies Consider to release all RampS attributes

7

copy 2015 SWITCH

2 Change URL for Attribute Authority

Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)

8

Page 65

copy 2015 SWITCH

2 Change URL for Attribute Authority

New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why  Easier configuration because  only one Apache VirtualHost  one domain name and one certificate  no X509 client authentication needed anymore

(SP still checks IdP webserver certificate agains IdPs metadata)  Attribute Queries are hardly used anymore

(but will become important again for support of edu-ID)

9

copy 2015 SWITCH

But how is the attribute query still secured without X509 client authentication by the Service

Provider SP signs attribute query request with

his private key the IdP checks signature with SPs public key in

metadata

Page 66

copy 2015 SWITCH

2 Change URL for Attribute Authority

What to adapt in Resource Registry then In 3 Technical Information change the URLs for  Attribute Service  Artifact Resolution Service

Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp

to httpsaai-loginexampleorgidp

11

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used

Candidates to remove  Single Sign On Service with

SAML2 HTTP POST SimpleSign binding  Artifact Resolution Service with SAML1 SOAP binding  Attribute Service with SAML1 SOAP binding

But only remove them after verifying they are not used 12

Page 67

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time

13

Page 68

SWITCHaai Team aaiswitchch

Clustering IdPs High Availability and Load Balancing

copy 2015 SWITCH

Goals bull  Operate the IdP on multiple servers to get high availability

andor load balancing bull  Load balancing is especially desirable for IdPs with a lot of user logins

and a high load ie for large organizations bull  A further usage is to avoid outages during maintenances A server

can be taken away without breaking the operation

bull  Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull  Users should not need to re-login if a server fails or is manually

removed from the cluster

2

Page 69

copy 2015 SWITCH

Support for clustering in IdPv3

bull  IdPv3 provides better support for clustering than IdPv2 bull  Especially user login sessions are stored on the client instead of on

the server in memory bull  Allows flexible configuration of various storage services (memory

server-side client-side)

bull  In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull  Full support for Attribute Query requires persistent storage of the

Persistent ID bull  Storing user consents per browser is not convenient for users

bull  Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering

3

copy 2015 SWITCH

Challenges

bull  The setup of the IdP and the whole environment is more complex than with a single-server IdP

bull  Special configuration of the IdP is required

bull  Load balancing requires special hardware or software

bull  IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism

4

Page 70

copy 2015 SWITCH 5 5

Example Environment

copy 2015 SWITCH 6

Example Environment

Page 71

copy 2015 SWITCH

Options bull  Full-featured setup

Load Balancing Hardware vs DNS Round Robin  Special load balancing hardware or software is highly recommended

bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored

bull Supports sticky sessions (required for short-lived conversation sessions)

  DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions

bull  Basic setup (ActiveStandby system)  Anycast IP address

bull Fast switching possible but more complicated setup

 Switching via DNS bull Switching takes some time (TTL) but setup is easy

7

copy 2015 SWITCH

Options bull  Data storage client-side vs server-side  Server-side database can store any data

bull But Might cause some performance penalty bull Centralizedclustered or replicated database required

  Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers

There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution

8

Page 72

copy 2015 SWITCH

Storage Entities bull  Conversation Session (Profile Request Session)

bull  Transient web flow at IdP eg SAML2 SSO Login sequence bull  Bound to a single node (session state stored in memory) bull  Requires session stickiness on load balancer (short-time only)

bull  IdP User Session bull  After a successful login at the IdP the IdP creates an associated user

session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)

bull  Floatable between nodes (stored on client)

bull  Persistent ID bull  Unique opaque identifier for a user per service provider bull  In a typical SWITCHaai deployment the Persistent ID is stored in a

database bull  Requires that all IdPs access a common storage to fully support

Attribute Queries 9

copy 2015 SWITCH

Storage Entities bull  User consent to attribute release and terms of use

bull  Requires persistent storage (client-side or server-side) bull  Requires server-side storage to allow the users to use multiple

browsersclients

bull  SAML artifacts bull  Requires a common storage The data must be available to all active

nodes to reliably support SAML 20 artifact bull  Seldom used in SWITCHaai

bull  Message replay cache bull  Can be stored per node in memory but then it is limited to a single

node (Still this is the default configuration) bull  For higher security requirements the message replay cache can be

managed in the central database or memcached might be used

10

Page 73

copy 2015 SWITCH

Storage Recommendations

Storage Entity Recommended Storage

Scope

Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node

11

Remarks bull  Common Database means some centralclustered database or a database replicated

between nodes bull  SAML artifacts

Irrelevant if SAML 20 artifacts not usedrequired at all bull  Alternatives for Message replay cache

Common Database or memcached (depending on security requirements)

copy 2015 SWITCH

IdP Configuration Storage bull  The storage service to use per storage entity is specified

in optshibboleth-idpconfidpproperties bull  IdP User Session idpsessionStorageService bull  User Consents idpconsentStorageService bull  SAML artifacts idpartifactStorageService bull  Message replay cache idpreplayCacheStorageService

bull  Exception Persistent ID bull  Configured in optshibboleth-idpconfglobalxml

(bean PersistentIdStore)

12

Page 74

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

IdPv2 vs IdPv3 Metadata

 Endpoint URLs stay the same  Unlike upgrade vom IdPv1 to IdPv2  Therefore no metadataResource Registry change needed in theory

 However some changes still recommended 1  Review the Home Organisation Description 2  Change URL for Attribute Authority 3  Remove Unnecessary Endpoints

 To change metadata change Home Organisation description  Apply change in AAI Resource Registry httpsrraaiswitchch

5

copy 2015 SWITCH

Home Organisation Description

6

12 To review

3 To adapt

Page 64

copy 2015 SWITCH

1 Review the Home Organisation Description

In particular review and adapt if necessary  1 General Information

  Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)

 2 Descriptive Information  Add new IP ranges and Domain Hints

 5 Contacts  Please ensure only non-personal email addresses are listed Ideally also

add helpdesk phone numbers

 7 Attribute Release Settings  Default attribute release policies Consider to release all RampS attributes

7

copy 2015 SWITCH

2 Change URL for Attribute Authority

Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)

8

Page 65

copy 2015 SWITCH

2 Change URL for Attribute Authority

New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why  Easier configuration because  only one Apache VirtualHost  one domain name and one certificate  no X509 client authentication needed anymore

(SP still checks IdP webserver certificate agains IdPs metadata)  Attribute Queries are hardly used anymore

(but will become important again for support of edu-ID)

9

copy 2015 SWITCH

But how is the attribute query still secured without X509 client authentication by the Service

Provider SP signs attribute query request with

his private key the IdP checks signature with SPs public key in

metadata

Page 66

copy 2015 SWITCH

2 Change URL for Attribute Authority

What to adapt in Resource Registry then In 3 Technical Information change the URLs for  Attribute Service  Artifact Resolution Service

Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp

to httpsaai-loginexampleorgidp

11

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used

Candidates to remove  Single Sign On Service with

SAML2 HTTP POST SimpleSign binding  Artifact Resolution Service with SAML1 SOAP binding  Attribute Service with SAML1 SOAP binding

But only remove them after verifying they are not used 12

Page 67

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time

13

Page 68

SWITCHaai Team aaiswitchch

Clustering IdPs High Availability and Load Balancing

copy 2015 SWITCH

Goals bull  Operate the IdP on multiple servers to get high availability

andor load balancing bull  Load balancing is especially desirable for IdPs with a lot of user logins

and a high load ie for large organizations bull  A further usage is to avoid outages during maintenances A server

can be taken away without breaking the operation

bull  Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull  Users should not need to re-login if a server fails or is manually

removed from the cluster

2

Page 69

copy 2015 SWITCH

Support for clustering in IdPv3

bull  IdPv3 provides better support for clustering than IdPv2 bull  Especially user login sessions are stored on the client instead of on

the server in memory bull  Allows flexible configuration of various storage services (memory

server-side client-side)

bull  In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull  Full support for Attribute Query requires persistent storage of the

Persistent ID bull  Storing user consents per browser is not convenient for users

bull  Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering

3

copy 2015 SWITCH

Challenges

bull  The setup of the IdP and the whole environment is more complex than with a single-server IdP

bull  Special configuration of the IdP is required

bull  Load balancing requires special hardware or software

bull  IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism

4

Page 70

copy 2015 SWITCH 5 5

Example Environment

copy 2015 SWITCH 6

Example Environment

Page 71

copy 2015 SWITCH

Options bull  Full-featured setup

Load Balancing Hardware vs DNS Round Robin  Special load balancing hardware or software is highly recommended

bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored

bull Supports sticky sessions (required for short-lived conversation sessions)

  DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions

bull  Basic setup (ActiveStandby system)  Anycast IP address

bull Fast switching possible but more complicated setup

 Switching via DNS bull Switching takes some time (TTL) but setup is easy

7

copy 2015 SWITCH

Options bull  Data storage client-side vs server-side  Server-side database can store any data

bull But Might cause some performance penalty bull Centralizedclustered or replicated database required

  Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers

There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution

8

Page 72

copy 2015 SWITCH

Storage Entities bull  Conversation Session (Profile Request Session)

bull  Transient web flow at IdP eg SAML2 SSO Login sequence bull  Bound to a single node (session state stored in memory) bull  Requires session stickiness on load balancer (short-time only)

bull  IdP User Session bull  After a successful login at the IdP the IdP creates an associated user

session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)

bull  Floatable between nodes (stored on client)

bull  Persistent ID bull  Unique opaque identifier for a user per service provider bull  In a typical SWITCHaai deployment the Persistent ID is stored in a

database bull  Requires that all IdPs access a common storage to fully support

Attribute Queries 9

copy 2015 SWITCH

Storage Entities bull  User consent to attribute release and terms of use

bull  Requires persistent storage (client-side or server-side) bull  Requires server-side storage to allow the users to use multiple

browsersclients

bull  SAML artifacts bull  Requires a common storage The data must be available to all active

nodes to reliably support SAML 20 artifact bull  Seldom used in SWITCHaai

bull  Message replay cache bull  Can be stored per node in memory but then it is limited to a single

node (Still this is the default configuration) bull  For higher security requirements the message replay cache can be

managed in the central database or memcached might be used

10

Page 73

copy 2015 SWITCH

Storage Recommendations

Storage Entity Recommended Storage

Scope

Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node

11

Remarks bull  Common Database means some centralclustered database or a database replicated

between nodes bull  SAML artifacts

Irrelevant if SAML 20 artifacts not usedrequired at all bull  Alternatives for Message replay cache

Common Database or memcached (depending on security requirements)

copy 2015 SWITCH

IdP Configuration Storage bull  The storage service to use per storage entity is specified

in optshibboleth-idpconfidpproperties bull  IdP User Session idpsessionStorageService bull  User Consents idpconsentStorageService bull  SAML artifacts idpartifactStorageService bull  Message replay cache idpreplayCacheStorageService

bull  Exception Persistent ID bull  Configured in optshibboleth-idpconfglobalxml

(bean PersistentIdStore)

12

Page 74

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

1 Review the Home Organisation Description

In particular review and adapt if necessary  1 General Information

  Interfederation Support (option only available if Interfederation Access Declaration has been signed More information on httpswwwswitchchaaisupportdocumentsinterfederation)

 2 Descriptive Information  Add new IP ranges and Domain Hints

 5 Contacts  Please ensure only non-personal email addresses are listed Ideally also

add helpdesk phone numbers

 7 Attribute Release Settings  Default attribute release policies Consider to release all RampS attributes

7

copy 2015 SWITCH

2 Change URL for Attribute Authority

Recommendation so far Separate port (ie 8443) or IP for IdP Attribute Authority (AA)

8

Page 65

copy 2015 SWITCH

2 Change URL for Attribute Authority

New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why  Easier configuration because  only one Apache VirtualHost  one domain name and one certificate  no X509 client authentication needed anymore

(SP still checks IdP webserver certificate agains IdPs metadata)  Attribute Queries are hardly used anymore

(but will become important again for support of edu-ID)

9

copy 2015 SWITCH

But how is the attribute query still secured without X509 client authentication by the Service

Provider SP signs attribute query request with

his private key the IdP checks signature with SPs public key in

metadata

Page 66

copy 2015 SWITCH

2 Change URL for Attribute Authority

What to adapt in Resource Registry then In 3 Technical Information change the URLs for  Attribute Service  Artifact Resolution Service

Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp

to httpsaai-loginexampleorgidp

11

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used

Candidates to remove  Single Sign On Service with

SAML2 HTTP POST SimpleSign binding  Artifact Resolution Service with SAML1 SOAP binding  Attribute Service with SAML1 SOAP binding

But only remove them after verifying they are not used 12

Page 67

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time

13

Page 68

SWITCHaai Team aaiswitchch

Clustering IdPs High Availability and Load Balancing

copy 2015 SWITCH

Goals bull  Operate the IdP on multiple servers to get high availability

andor load balancing bull  Load balancing is especially desirable for IdPs with a lot of user logins

and a high load ie for large organizations bull  A further usage is to avoid outages during maintenances A server

can be taken away without breaking the operation

bull  Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull  Users should not need to re-login if a server fails or is manually

removed from the cluster

2

Page 69

copy 2015 SWITCH

Support for clustering in IdPv3

bull  IdPv3 provides better support for clustering than IdPv2 bull  Especially user login sessions are stored on the client instead of on

the server in memory bull  Allows flexible configuration of various storage services (memory

server-side client-side)

bull  In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull  Full support for Attribute Query requires persistent storage of the

Persistent ID bull  Storing user consents per browser is not convenient for users

bull  Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering

3

copy 2015 SWITCH

Challenges

bull  The setup of the IdP and the whole environment is more complex than with a single-server IdP

bull  Special configuration of the IdP is required

bull  Load balancing requires special hardware or software

bull  IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism

4

Page 70

copy 2015 SWITCH 5 5

Example Environment

copy 2015 SWITCH 6

Example Environment

Page 71

copy 2015 SWITCH

Options bull  Full-featured setup

Load Balancing Hardware vs DNS Round Robin  Special load balancing hardware or software is highly recommended

bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored

bull Supports sticky sessions (required for short-lived conversation sessions)

  DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions

bull  Basic setup (ActiveStandby system)  Anycast IP address

bull Fast switching possible but more complicated setup

 Switching via DNS bull Switching takes some time (TTL) but setup is easy

7

copy 2015 SWITCH

Options bull  Data storage client-side vs server-side  Server-side database can store any data

bull But Might cause some performance penalty bull Centralizedclustered or replicated database required

  Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers

There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution

8

Page 72

copy 2015 SWITCH

Storage Entities bull  Conversation Session (Profile Request Session)

bull  Transient web flow at IdP eg SAML2 SSO Login sequence bull  Bound to a single node (session state stored in memory) bull  Requires session stickiness on load balancer (short-time only)

bull  IdP User Session bull  After a successful login at the IdP the IdP creates an associated user

session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)

bull  Floatable between nodes (stored on client)

bull  Persistent ID bull  Unique opaque identifier for a user per service provider bull  In a typical SWITCHaai deployment the Persistent ID is stored in a

database bull  Requires that all IdPs access a common storage to fully support

Attribute Queries 9

copy 2015 SWITCH

Storage Entities bull  User consent to attribute release and terms of use

bull  Requires persistent storage (client-side or server-side) bull  Requires server-side storage to allow the users to use multiple

browsersclients

bull  SAML artifacts bull  Requires a common storage The data must be available to all active

nodes to reliably support SAML 20 artifact bull  Seldom used in SWITCHaai

bull  Message replay cache bull  Can be stored per node in memory but then it is limited to a single

node (Still this is the default configuration) bull  For higher security requirements the message replay cache can be

managed in the central database or memcached might be used

10

Page 73

copy 2015 SWITCH

Storage Recommendations

Storage Entity Recommended Storage

Scope

Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node

11

Remarks bull  Common Database means some centralclustered database or a database replicated

between nodes bull  SAML artifacts

Irrelevant if SAML 20 artifacts not usedrequired at all bull  Alternatives for Message replay cache

Common Database or memcached (depending on security requirements)

copy 2015 SWITCH

IdP Configuration Storage bull  The storage service to use per storage entity is specified

in optshibboleth-idpconfidpproperties bull  IdP User Session idpsessionStorageService bull  User Consents idpconsentStorageService bull  SAML artifacts idpartifactStorageService bull  Message replay cache idpreplayCacheStorageService

bull  Exception Persistent ID bull  Configured in optshibboleth-idpconfglobalxml

(bean PersistentIdStore)

12

Page 74

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

2 Change URL for Attribute Authority

New Recommendation Use same IP and same Port (443) for Attribute Authority (AA) Why  Easier configuration because  only one Apache VirtualHost  one domain name and one certificate  no X509 client authentication needed anymore

(SP still checks IdP webserver certificate agains IdPs metadata)  Attribute Queries are hardly used anymore

(but will become important again for support of edu-ID)

9

copy 2015 SWITCH

But how is the attribute query still secured without X509 client authentication by the Service

Provider SP signs attribute query request with

his private key the IdP checks signature with SPs public key in

metadata

Page 66

copy 2015 SWITCH

2 Change URL for Attribute Authority

What to adapt in Resource Registry then In 3 Technical Information change the URLs for  Attribute Service  Artifact Resolution Service

Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp

to httpsaai-loginexampleorgidp

11

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used

Candidates to remove  Single Sign On Service with

SAML2 HTTP POST SimpleSign binding  Artifact Resolution Service with SAML1 SOAP binding  Attribute Service with SAML1 SOAP binding

But only remove them after verifying they are not used 12

Page 67

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time

13

Page 68

SWITCHaai Team aaiswitchch

Clustering IdPs High Availability and Load Balancing

copy 2015 SWITCH

Goals bull  Operate the IdP on multiple servers to get high availability

andor load balancing bull  Load balancing is especially desirable for IdPs with a lot of user logins

and a high load ie for large organizations bull  A further usage is to avoid outages during maintenances A server

can be taken away without breaking the operation

bull  Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull  Users should not need to re-login if a server fails or is manually

removed from the cluster

2

Page 69

copy 2015 SWITCH

Support for clustering in IdPv3

bull  IdPv3 provides better support for clustering than IdPv2 bull  Especially user login sessions are stored on the client instead of on

the server in memory bull  Allows flexible configuration of various storage services (memory

server-side client-side)

bull  In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull  Full support for Attribute Query requires persistent storage of the

Persistent ID bull  Storing user consents per browser is not convenient for users

bull  Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering

3

copy 2015 SWITCH

Challenges

bull  The setup of the IdP and the whole environment is more complex than with a single-server IdP

bull  Special configuration of the IdP is required

bull  Load balancing requires special hardware or software

bull  IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism

4

Page 70

copy 2015 SWITCH 5 5

Example Environment

copy 2015 SWITCH 6

Example Environment

Page 71

copy 2015 SWITCH

Options bull  Full-featured setup

Load Balancing Hardware vs DNS Round Robin  Special load balancing hardware or software is highly recommended

bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored

bull Supports sticky sessions (required for short-lived conversation sessions)

  DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions

bull  Basic setup (ActiveStandby system)  Anycast IP address

bull Fast switching possible but more complicated setup

 Switching via DNS bull Switching takes some time (TTL) but setup is easy

7

copy 2015 SWITCH

Options bull  Data storage client-side vs server-side  Server-side database can store any data

bull But Might cause some performance penalty bull Centralizedclustered or replicated database required

  Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers

There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution

8

Page 72

copy 2015 SWITCH

Storage Entities bull  Conversation Session (Profile Request Session)

bull  Transient web flow at IdP eg SAML2 SSO Login sequence bull  Bound to a single node (session state stored in memory) bull  Requires session stickiness on load balancer (short-time only)

bull  IdP User Session bull  After a successful login at the IdP the IdP creates an associated user

session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)

bull  Floatable between nodes (stored on client)

bull  Persistent ID bull  Unique opaque identifier for a user per service provider bull  In a typical SWITCHaai deployment the Persistent ID is stored in a

database bull  Requires that all IdPs access a common storage to fully support

Attribute Queries 9

copy 2015 SWITCH

Storage Entities bull  User consent to attribute release and terms of use

bull  Requires persistent storage (client-side or server-side) bull  Requires server-side storage to allow the users to use multiple

browsersclients

bull  SAML artifacts bull  Requires a common storage The data must be available to all active

nodes to reliably support SAML 20 artifact bull  Seldom used in SWITCHaai

bull  Message replay cache bull  Can be stored per node in memory but then it is limited to a single

node (Still this is the default configuration) bull  For higher security requirements the message replay cache can be

managed in the central database or memcached might be used

10

Page 73

copy 2015 SWITCH

Storage Recommendations

Storage Entity Recommended Storage

Scope

Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node

11

Remarks bull  Common Database means some centralclustered database or a database replicated

between nodes bull  SAML artifacts

Irrelevant if SAML 20 artifacts not usedrequired at all bull  Alternatives for Message replay cache

Common Database or memcached (depending on security requirements)

copy 2015 SWITCH

IdP Configuration Storage bull  The storage service to use per storage entity is specified

in optshibboleth-idpconfidpproperties bull  IdP User Session idpsessionStorageService bull  User Consents idpconsentStorageService bull  SAML artifacts idpartifactStorageService bull  Message replay cache idpreplayCacheStorageService

bull  Exception Persistent ID bull  Configured in optshibboleth-idpconfglobalxml

(bean PersistentIdStore)

12

Page 74

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

2 Change URL for Attribute Authority

What to adapt in Resource Registry then In 3 Technical Information change the URLs for  Attribute Service  Artifact Resolution Service

Make sure they point to the URL configured during the Identity Provider deployment Typically the URLs change from eg httpsaai-loginexampleorg8443idp or httpsaai-aaexampleorgidp

to httpsaai-loginexampleorgidp

11

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

Which endpoints to remove Generally its better to only have published in metadata what is needed and used So in 3 Technical Information consider removing end points that are hardly used

Candidates to remove  Single Sign On Service with

SAML2 HTTP POST SimpleSign binding  Artifact Resolution Service with SAML1 SOAP binding  Attribute Service with SAML1 SOAP binding

But only remove them after verifying they are not used 12

Page 67

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time

13

Page 68

SWITCHaai Team aaiswitchch

Clustering IdPs High Availability and Load Balancing

copy 2015 SWITCH

Goals bull  Operate the IdP on multiple servers to get high availability

andor load balancing bull  Load balancing is especially desirable for IdPs with a lot of user logins

and a high load ie for large organizations bull  A further usage is to avoid outages during maintenances A server

can be taken away without breaking the operation

bull  Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull  Users should not need to re-login if a server fails or is manually

removed from the cluster

2

Page 69

copy 2015 SWITCH

Support for clustering in IdPv3

bull  IdPv3 provides better support for clustering than IdPv2 bull  Especially user login sessions are stored on the client instead of on

the server in memory bull  Allows flexible configuration of various storage services (memory

server-side client-side)

bull  In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull  Full support for Attribute Query requires persistent storage of the

Persistent ID bull  Storing user consents per browser is not convenient for users

bull  Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering

3

copy 2015 SWITCH

Challenges

bull  The setup of the IdP and the whole environment is more complex than with a single-server IdP

bull  Special configuration of the IdP is required

bull  Load balancing requires special hardware or software

bull  IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism

4

Page 70

copy 2015 SWITCH 5 5

Example Environment

copy 2015 SWITCH 6

Example Environment

Page 71

copy 2015 SWITCH

Options bull  Full-featured setup

Load Balancing Hardware vs DNS Round Robin  Special load balancing hardware or software is highly recommended

bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored

bull Supports sticky sessions (required for short-lived conversation sessions)

  DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions

bull  Basic setup (ActiveStandby system)  Anycast IP address

bull Fast switching possible but more complicated setup

 Switching via DNS bull Switching takes some time (TTL) but setup is easy

7

copy 2015 SWITCH

Options bull  Data storage client-side vs server-side  Server-side database can store any data

bull But Might cause some performance penalty bull Centralizedclustered or replicated database required

  Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers

There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution

8

Page 72

copy 2015 SWITCH

Storage Entities bull  Conversation Session (Profile Request Session)

bull  Transient web flow at IdP eg SAML2 SSO Login sequence bull  Bound to a single node (session state stored in memory) bull  Requires session stickiness on load balancer (short-time only)

bull  IdP User Session bull  After a successful login at the IdP the IdP creates an associated user

session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)

bull  Floatable between nodes (stored on client)

bull  Persistent ID bull  Unique opaque identifier for a user per service provider bull  In a typical SWITCHaai deployment the Persistent ID is stored in a

database bull  Requires that all IdPs access a common storage to fully support

Attribute Queries 9

copy 2015 SWITCH

Storage Entities bull  User consent to attribute release and terms of use

bull  Requires persistent storage (client-side or server-side) bull  Requires server-side storage to allow the users to use multiple

browsersclients

bull  SAML artifacts bull  Requires a common storage The data must be available to all active

nodes to reliably support SAML 20 artifact bull  Seldom used in SWITCHaai

bull  Message replay cache bull  Can be stored per node in memory but then it is limited to a single

node (Still this is the default configuration) bull  For higher security requirements the message replay cache can be

managed in the central database or memcached might be used

10

Page 73

copy 2015 SWITCH

Storage Recommendations

Storage Entity Recommended Storage

Scope

Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node

11

Remarks bull  Common Database means some centralclustered database or a database replicated

between nodes bull  SAML artifacts

Irrelevant if SAML 20 artifacts not usedrequired at all bull  Alternatives for Message replay cache

Common Database or memcached (depending on security requirements)

copy 2015 SWITCH

IdP Configuration Storage bull  The storage service to use per storage entity is specified

in optshibboleth-idpconfidpproperties bull  IdP User Session idpsessionStorageService bull  User Consents idpconsentStorageService bull  SAML artifacts idpartifactStorageService bull  Message replay cache idpreplayCacheStorageService

bull  Exception Persistent ID bull  Configured in optshibboleth-idpconfglobalxml

(bean PersistentIdStore)

12

Page 74

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

3 Remove Unnecessary Endpoints

How to check if a profile and binding can be removed Check if it has been used within last few months If not remove it from Resource Registry How to check if it has been used Check log files To find if SAML1 SOAP binding logins in 2015 $ cd optshibboleth-idplogs $ grep urnoasisnamestcSAML10bindingsSOAP-binding idp-process-2015-log Returns information (ie time SP) when binding was used the last time

13

Page 68

SWITCHaai Team aaiswitchch

Clustering IdPs High Availability and Load Balancing

copy 2015 SWITCH

Goals bull  Operate the IdP on multiple servers to get high availability

andor load balancing bull  Load balancing is especially desirable for IdPs with a lot of user logins

and a high load ie for large organizations bull  A further usage is to avoid outages during maintenances A server

can be taken away without breaking the operation

bull  Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull  Users should not need to re-login if a server fails or is manually

removed from the cluster

2

Page 69

copy 2015 SWITCH

Support for clustering in IdPv3

bull  IdPv3 provides better support for clustering than IdPv2 bull  Especially user login sessions are stored on the client instead of on

the server in memory bull  Allows flexible configuration of various storage services (memory

server-side client-side)

bull  In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull  Full support for Attribute Query requires persistent storage of the

Persistent ID bull  Storing user consents per browser is not convenient for users

bull  Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering

3

copy 2015 SWITCH

Challenges

bull  The setup of the IdP and the whole environment is more complex than with a single-server IdP

bull  Special configuration of the IdP is required

bull  Load balancing requires special hardware or software

bull  IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism

4

Page 70

copy 2015 SWITCH 5 5

Example Environment

copy 2015 SWITCH 6

Example Environment

Page 71

copy 2015 SWITCH

Options bull  Full-featured setup

Load Balancing Hardware vs DNS Round Robin  Special load balancing hardware or software is highly recommended

bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored

bull Supports sticky sessions (required for short-lived conversation sessions)

  DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions

bull  Basic setup (ActiveStandby system)  Anycast IP address

bull Fast switching possible but more complicated setup

 Switching via DNS bull Switching takes some time (TTL) but setup is easy

7

copy 2015 SWITCH

Options bull  Data storage client-side vs server-side  Server-side database can store any data

bull But Might cause some performance penalty bull Centralizedclustered or replicated database required

  Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers

There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution

8

Page 72

copy 2015 SWITCH

Storage Entities bull  Conversation Session (Profile Request Session)

bull  Transient web flow at IdP eg SAML2 SSO Login sequence bull  Bound to a single node (session state stored in memory) bull  Requires session stickiness on load balancer (short-time only)

bull  IdP User Session bull  After a successful login at the IdP the IdP creates an associated user

session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)

bull  Floatable between nodes (stored on client)

bull  Persistent ID bull  Unique opaque identifier for a user per service provider bull  In a typical SWITCHaai deployment the Persistent ID is stored in a

database bull  Requires that all IdPs access a common storage to fully support

Attribute Queries 9

copy 2015 SWITCH

Storage Entities bull  User consent to attribute release and terms of use

bull  Requires persistent storage (client-side or server-side) bull  Requires server-side storage to allow the users to use multiple

browsersclients

bull  SAML artifacts bull  Requires a common storage The data must be available to all active

nodes to reliably support SAML 20 artifact bull  Seldom used in SWITCHaai

bull  Message replay cache bull  Can be stored per node in memory but then it is limited to a single

node (Still this is the default configuration) bull  For higher security requirements the message replay cache can be

managed in the central database or memcached might be used

10

Page 73

copy 2015 SWITCH

Storage Recommendations

Storage Entity Recommended Storage

Scope

Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node

11

Remarks bull  Common Database means some centralclustered database or a database replicated

between nodes bull  SAML artifacts

Irrelevant if SAML 20 artifacts not usedrequired at all bull  Alternatives for Message replay cache

Common Database or memcached (depending on security requirements)

copy 2015 SWITCH

IdP Configuration Storage bull  The storage service to use per storage entity is specified

in optshibboleth-idpconfidpproperties bull  IdP User Session idpsessionStorageService bull  User Consents idpconsentStorageService bull  SAML artifacts idpartifactStorageService bull  Message replay cache idpreplayCacheStorageService

bull  Exception Persistent ID bull  Configured in optshibboleth-idpconfglobalxml

(bean PersistentIdStore)

12

Page 74

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

SWITCHaai Team aaiswitchch

Clustering IdPs High Availability and Load Balancing

copy 2015 SWITCH

Goals bull  Operate the IdP on multiple servers to get high availability

andor load balancing bull  Load balancing is especially desirable for IdPs with a lot of user logins

and a high load ie for large organizations bull  A further usage is to avoid outages during maintenances A server

can be taken away without breaking the operation

bull  Keep existing IdP user sessions valid if a server is manually removed from the cluster for maintenance or if a server fails bull  Users should not need to re-login if a server fails or is manually

removed from the cluster

2

Page 69

copy 2015 SWITCH

Support for clustering in IdPv3

bull  IdPv3 provides better support for clustering than IdPv2 bull  Especially user login sessions are stored on the client instead of on

the server in memory bull  Allows flexible configuration of various storage services (memory

server-side client-side)

bull  In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull  Full support for Attribute Query requires persistent storage of the

Persistent ID bull  Storing user consents per browser is not convenient for users

bull  Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering

3

copy 2015 SWITCH

Challenges

bull  The setup of the IdP and the whole environment is more complex than with a single-server IdP

bull  Special configuration of the IdP is required

bull  Load balancing requires special hardware or software

bull  IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism

4

Page 70

copy 2015 SWITCH 5 5

Example Environment

copy 2015 SWITCH 6

Example Environment

Page 71

copy 2015 SWITCH

Options bull  Full-featured setup

Load Balancing Hardware vs DNS Round Robin  Special load balancing hardware or software is highly recommended

bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored

bull Supports sticky sessions (required for short-lived conversation sessions)

  DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions

bull  Basic setup (ActiveStandby system)  Anycast IP address

bull Fast switching possible but more complicated setup

 Switching via DNS bull Switching takes some time (TTL) but setup is easy

7

copy 2015 SWITCH

Options bull  Data storage client-side vs server-side  Server-side database can store any data

bull But Might cause some performance penalty bull Centralizedclustered or replicated database required

  Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers

There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution

8

Page 72

copy 2015 SWITCH

Storage Entities bull  Conversation Session (Profile Request Session)

bull  Transient web flow at IdP eg SAML2 SSO Login sequence bull  Bound to a single node (session state stored in memory) bull  Requires session stickiness on load balancer (short-time only)

bull  IdP User Session bull  After a successful login at the IdP the IdP creates an associated user

session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)

bull  Floatable between nodes (stored on client)

bull  Persistent ID bull  Unique opaque identifier for a user per service provider bull  In a typical SWITCHaai deployment the Persistent ID is stored in a

database bull  Requires that all IdPs access a common storage to fully support

Attribute Queries 9

copy 2015 SWITCH

Storage Entities bull  User consent to attribute release and terms of use

bull  Requires persistent storage (client-side or server-side) bull  Requires server-side storage to allow the users to use multiple

browsersclients

bull  SAML artifacts bull  Requires a common storage The data must be available to all active

nodes to reliably support SAML 20 artifact bull  Seldom used in SWITCHaai

bull  Message replay cache bull  Can be stored per node in memory but then it is limited to a single

node (Still this is the default configuration) bull  For higher security requirements the message replay cache can be

managed in the central database or memcached might be used

10

Page 73

copy 2015 SWITCH

Storage Recommendations

Storage Entity Recommended Storage

Scope

Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node

11

Remarks bull  Common Database means some centralclustered database or a database replicated

between nodes bull  SAML artifacts

Irrelevant if SAML 20 artifacts not usedrequired at all bull  Alternatives for Message replay cache

Common Database or memcached (depending on security requirements)

copy 2015 SWITCH

IdP Configuration Storage bull  The storage service to use per storage entity is specified

in optshibboleth-idpconfidpproperties bull  IdP User Session idpsessionStorageService bull  User Consents idpconsentStorageService bull  SAML artifacts idpartifactStorageService bull  Message replay cache idpreplayCacheStorageService

bull  Exception Persistent ID bull  Configured in optshibboleth-idpconfglobalxml

(bean PersistentIdStore)

12

Page 74

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

Support for clustering in IdPv3

bull  IdPv3 provides better support for clustering than IdPv2 bull  Especially user login sessions are stored on the client instead of on

the server in memory bull  Allows flexible configuration of various storage services (memory

server-side client-side)

bull  In theory clustering would be easy by storing data in memory or in cookies in the browser only ie avoiding a database But bull  Full support for Attribute Query requires persistent storage of the

Persistent ID bull  Storing user consents per browser is not convenient for users

bull  Documentation on the Shibboleth Wiki httpswikishibbolethnetconfluencedisplayIDP30Clustering

3

copy 2015 SWITCH

Challenges

bull  The setup of the IdP and the whole environment is more complex than with a single-server IdP

bull  Special configuration of the IdP is required

bull  Load balancing requires special hardware or software

bull  IdPs in SWITCHaai store some data in a database Therefore clustered IdPs need some kind of clustered database or some replication mechanism

4

Page 70

copy 2015 SWITCH 5 5

Example Environment

copy 2015 SWITCH 6

Example Environment

Page 71

copy 2015 SWITCH

Options bull  Full-featured setup

Load Balancing Hardware vs DNS Round Robin  Special load balancing hardware or software is highly recommended

bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored

bull Supports sticky sessions (required for short-lived conversation sessions)

  DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions

bull  Basic setup (ActiveStandby system)  Anycast IP address

bull Fast switching possible but more complicated setup

 Switching via DNS bull Switching takes some time (TTL) but setup is easy

7

copy 2015 SWITCH

Options bull  Data storage client-side vs server-side  Server-side database can store any data

bull But Might cause some performance penalty bull Centralizedclustered or replicated database required

  Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers

There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution

8

Page 72

copy 2015 SWITCH

Storage Entities bull  Conversation Session (Profile Request Session)

bull  Transient web flow at IdP eg SAML2 SSO Login sequence bull  Bound to a single node (session state stored in memory) bull  Requires session stickiness on load balancer (short-time only)

bull  IdP User Session bull  After a successful login at the IdP the IdP creates an associated user

session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)

bull  Floatable between nodes (stored on client)

bull  Persistent ID bull  Unique opaque identifier for a user per service provider bull  In a typical SWITCHaai deployment the Persistent ID is stored in a

database bull  Requires that all IdPs access a common storage to fully support

Attribute Queries 9

copy 2015 SWITCH

Storage Entities bull  User consent to attribute release and terms of use

bull  Requires persistent storage (client-side or server-side) bull  Requires server-side storage to allow the users to use multiple

browsersclients

bull  SAML artifacts bull  Requires a common storage The data must be available to all active

nodes to reliably support SAML 20 artifact bull  Seldom used in SWITCHaai

bull  Message replay cache bull  Can be stored per node in memory but then it is limited to a single

node (Still this is the default configuration) bull  For higher security requirements the message replay cache can be

managed in the central database or memcached might be used

10

Page 73

copy 2015 SWITCH

Storage Recommendations

Storage Entity Recommended Storage

Scope

Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node

11

Remarks bull  Common Database means some centralclustered database or a database replicated

between nodes bull  SAML artifacts

Irrelevant if SAML 20 artifacts not usedrequired at all bull  Alternatives for Message replay cache

Common Database or memcached (depending on security requirements)

copy 2015 SWITCH

IdP Configuration Storage bull  The storage service to use per storage entity is specified

in optshibboleth-idpconfidpproperties bull  IdP User Session idpsessionStorageService bull  User Consents idpconsentStorageService bull  SAML artifacts idpartifactStorageService bull  Message replay cache idpreplayCacheStorageService

bull  Exception Persistent ID bull  Configured in optshibboleth-idpconfglobalxml

(bean PersistentIdStore)

12

Page 74

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH 5 5

Example Environment

copy 2015 SWITCH 6

Example Environment

Page 71

copy 2015 SWITCH

Options bull  Full-featured setup

Load Balancing Hardware vs DNS Round Robin  Special load balancing hardware or software is highly recommended

bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored

bull Supports sticky sessions (required for short-lived conversation sessions)

  DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions

bull  Basic setup (ActiveStandby system)  Anycast IP address

bull Fast switching possible but more complicated setup

 Switching via DNS bull Switching takes some time (TTL) but setup is easy

7

copy 2015 SWITCH

Options bull  Data storage client-side vs server-side  Server-side database can store any data

bull But Might cause some performance penalty bull Centralizedclustered or replicated database required

  Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers

There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution

8

Page 72

copy 2015 SWITCH

Storage Entities bull  Conversation Session (Profile Request Session)

bull  Transient web flow at IdP eg SAML2 SSO Login sequence bull  Bound to a single node (session state stored in memory) bull  Requires session stickiness on load balancer (short-time only)

bull  IdP User Session bull  After a successful login at the IdP the IdP creates an associated user

session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)

bull  Floatable between nodes (stored on client)

bull  Persistent ID bull  Unique opaque identifier for a user per service provider bull  In a typical SWITCHaai deployment the Persistent ID is stored in a

database bull  Requires that all IdPs access a common storage to fully support

Attribute Queries 9

copy 2015 SWITCH

Storage Entities bull  User consent to attribute release and terms of use

bull  Requires persistent storage (client-side or server-side) bull  Requires server-side storage to allow the users to use multiple

browsersclients

bull  SAML artifacts bull  Requires a common storage The data must be available to all active

nodes to reliably support SAML 20 artifact bull  Seldom used in SWITCHaai

bull  Message replay cache bull  Can be stored per node in memory but then it is limited to a single

node (Still this is the default configuration) bull  For higher security requirements the message replay cache can be

managed in the central database or memcached might be used

10

Page 73

copy 2015 SWITCH

Storage Recommendations

Storage Entity Recommended Storage

Scope

Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node

11

Remarks bull  Common Database means some centralclustered database or a database replicated

between nodes bull  SAML artifacts

Irrelevant if SAML 20 artifacts not usedrequired at all bull  Alternatives for Message replay cache

Common Database or memcached (depending on security requirements)

copy 2015 SWITCH

IdP Configuration Storage bull  The storage service to use per storage entity is specified

in optshibboleth-idpconfidpproperties bull  IdP User Session idpsessionStorageService bull  User Consents idpconsentStorageService bull  SAML artifacts idpartifactStorageService bull  Message replay cache idpreplayCacheStorageService

bull  Exception Persistent ID bull  Configured in optshibboleth-idpconfglobalxml

(bean PersistentIdStore)

12

Page 74

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

Options bull  Full-featured setup

Load Balancing Hardware vs DNS Round Robin  Special load balancing hardware or software is highly recommended

bull Guaranteed and flexible high-availability load-balancing and failover characteristics Status of IdP nodes can be monitored

bull Supports sticky sessions (required for short-lived conversation sessions)

  DNS Round Robin doesnt work reliably bull Behavior of clients is not determinable bull Does not guarantee sticky sessions

bull  Basic setup (ActiveStandby system)  Anycast IP address

bull Fast switching possible but more complicated setup

 Switching via DNS bull Switching takes some time (TTL) but setup is easy

7

copy 2015 SWITCH

Options bull  Data storage client-side vs server-side  Server-side database can store any data

bull But Might cause some performance penalty bull Centralizedclustered or replicated database required

  Client-side storage using cookies bull Doesnt work for large data like user consents bull Stored per single client Not suitable for users using multiple browsers

There are many mechanisms and options available to setup a suitable environment The setup to choose depends on the requirements and the possibilities of the institution

8

Page 72

copy 2015 SWITCH

Storage Entities bull  Conversation Session (Profile Request Session)

bull  Transient web flow at IdP eg SAML2 SSO Login sequence bull  Bound to a single node (session state stored in memory) bull  Requires session stickiness on load balancer (short-time only)

bull  IdP User Session bull  After a successful login at the IdP the IdP creates an associated user

session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)

bull  Floatable between nodes (stored on client)

bull  Persistent ID bull  Unique opaque identifier for a user per service provider bull  In a typical SWITCHaai deployment the Persistent ID is stored in a

database bull  Requires that all IdPs access a common storage to fully support

Attribute Queries 9

copy 2015 SWITCH

Storage Entities bull  User consent to attribute release and terms of use

bull  Requires persistent storage (client-side or server-side) bull  Requires server-side storage to allow the users to use multiple

browsersclients

bull  SAML artifacts bull  Requires a common storage The data must be available to all active

nodes to reliably support SAML 20 artifact bull  Seldom used in SWITCHaai

bull  Message replay cache bull  Can be stored per node in memory but then it is limited to a single

node (Still this is the default configuration) bull  For higher security requirements the message replay cache can be

managed in the central database or memcached might be used

10

Page 73

copy 2015 SWITCH

Storage Recommendations

Storage Entity Recommended Storage

Scope

Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node

11

Remarks bull  Common Database means some centralclustered database or a database replicated

between nodes bull  SAML artifacts

Irrelevant if SAML 20 artifacts not usedrequired at all bull  Alternatives for Message replay cache

Common Database or memcached (depending on security requirements)

copy 2015 SWITCH

IdP Configuration Storage bull  The storage service to use per storage entity is specified

in optshibboleth-idpconfidpproperties bull  IdP User Session idpsessionStorageService bull  User Consents idpconsentStorageService bull  SAML artifacts idpartifactStorageService bull  Message replay cache idpreplayCacheStorageService

bull  Exception Persistent ID bull  Configured in optshibboleth-idpconfglobalxml

(bean PersistentIdStore)

12

Page 74

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

Storage Entities bull  Conversation Session (Profile Request Session)

bull  Transient web flow at IdP eg SAML2 SSO Login sequence bull  Bound to a single node (session state stored in memory) bull  Requires session stickiness on load balancer (short-time only)

bull  IdP User Session bull  After a successful login at the IdP the IdP creates an associated user

session This session is valid for the configured session lifetime (eg 30 minutes or 8 hours)

bull  Floatable between nodes (stored on client)

bull  Persistent ID bull  Unique opaque identifier for a user per service provider bull  In a typical SWITCHaai deployment the Persistent ID is stored in a

database bull  Requires that all IdPs access a common storage to fully support

Attribute Queries 9

copy 2015 SWITCH

Storage Entities bull  User consent to attribute release and terms of use

bull  Requires persistent storage (client-side or server-side) bull  Requires server-side storage to allow the users to use multiple

browsersclients

bull  SAML artifacts bull  Requires a common storage The data must be available to all active

nodes to reliably support SAML 20 artifact bull  Seldom used in SWITCHaai

bull  Message replay cache bull  Can be stored per node in memory but then it is limited to a single

node (Still this is the default configuration) bull  For higher security requirements the message replay cache can be

managed in the central database or memcached might be used

10

Page 73

copy 2015 SWITCH

Storage Recommendations

Storage Entity Recommended Storage

Scope

Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node

11

Remarks bull  Common Database means some centralclustered database or a database replicated

between nodes bull  SAML artifacts

Irrelevant if SAML 20 artifacts not usedrequired at all bull  Alternatives for Message replay cache

Common Database or memcached (depending on security requirements)

copy 2015 SWITCH

IdP Configuration Storage bull  The storage service to use per storage entity is specified

in optshibboleth-idpconfidpproperties bull  IdP User Session idpsessionStorageService bull  User Consents idpconsentStorageService bull  SAML artifacts idpartifactStorageService bull  Message replay cache idpreplayCacheStorageService

bull  Exception Persistent ID bull  Configured in optshibboleth-idpconfglobalxml

(bean PersistentIdStore)

12

Page 74

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

Storage Recommendations

Storage Entity Recommended Storage

Scope

Conversation Session Memory Per Node IdP User Session Client Per Client Persistent ID Common Database Cluster User consents Common Database Cluster SAML artifacts Common Database Cluster Message replay cache Memory Per Node

11

Remarks bull  Common Database means some centralclustered database or a database replicated

between nodes bull  SAML artifacts

Irrelevant if SAML 20 artifacts not usedrequired at all bull  Alternatives for Message replay cache

Common Database or memcached (depending on security requirements)

copy 2015 SWITCH

IdP Configuration Storage bull  The storage service to use per storage entity is specified

in optshibboleth-idpconfidpproperties bull  IdP User Session idpsessionStorageService bull  User Consents idpconsentStorageService bull  SAML artifacts idpartifactStorageService bull  Message replay cache idpreplayCacheStorageService

bull  Exception Persistent ID bull  Configured in optshibboleth-idpconfglobalxml

(bean PersistentIdStore)

12

Page 74

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

IdP Configuration Database Storage bull  The storage service shibbolethJPAStorageService stores

data in a database This service and a corresponding database backend are configured in optshibboleth-idpconfglobalxml

bull  The default deployment in the SWITCHaai federation uses a local PostgreSQL database as backend (bean shibbolethPostgreSQLDataSource) The configuration in globalxml must be adapted suitably for the database backend that is to be used

13

copy 2015 SWITCH

IdP Configuration Secret Key Management bull  The IdP User Session is stored in an encrypted cookie in

the browser The key to encryptdecrypt this cookie should regularly be rotated In a clustered setup all nodes need to share the same key Its recommended that one node generates a new key and copies it to the other nodes

bull  Setup bull  Decide for a node that is responsible for generating the secret keys

and copying them to the other nodes bull  Install an appropriate cronjob bull  The documentation on the Shibboleth wiki contains some details

including an example cronjob script httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement

14

Page 75

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

Further Notes bull  Memcached

bull  Memcached is supported as a storage option (the IdP has a built-in client) but the use is limited

bull  Might be used as an alternative to a relational database but the advantages are questionable because much additional effort is needed

bull  Terracotta bull  No longer an option for IdPv3

15

copy 2015 SWITCH

Considerations for planning an IdP cluster

bull  Which type of setup do you need Basic setup or full-featured setup

bull  What kind of database do you need Does your institution already run some clustered relational database that you can make use of

bull  Which additional hardware or software is required

bull  Which further considerations are relevant for your institution

16

Page 76

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

References Documentation bull  Clustering

httpswikishibbolethnetconfluencedisplayIDP30Clustering bull  Secret Key Management

httpswikishibbolethnetconfluencedisplayIDP30SecretKeyManagement bull  Storage

httpswikishibbolethnetconfluencedisplayIDP30Storage

17

Page 77

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

SWITCHaai Team aaiswitchch

Resource Registry Interfederation via eduGAIN and Entity Categories

copy 2015 SWITCH

Goals bull  Get an idea of the benefits when participating in

interfederation

bull  Know what it takes to enable an IdP for Interfederation

bull  Understand the concept of Entity Categories

bull  Recognize how Entity Categories can help in a data protection conformant attribute release that scales

2

Page 78

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

SWITCHaai Team aaiswitchch

Interfederation Option What to consider before enabling an IdP for Interfederation

copy 2015 SWITCH

Why Interfederation bull  Most Federations are of national scope

bull  Services may need to register in many federations to serve all their users Thats time consuming and becomes a huge overhead eg EBSCOhost is registered in 22 federations

bull  Research projects are mostly multi-national

bull  Interconnecting national federations Interfederation

Register the IdP or SP in only one federation and enable it for interfederation bull  Enable the IdP for interfederation

Its users will be able to access services from other federations bull  Enable the SP for interfederation

The service can serve users from other federations

4

Page 79

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

All Academic Identity Federations Globally

5

Production Pilot Source httpsrefedsorgfederationsfederations-map

copy 2015 SWITCH

eduGAIN Status bull  eduGAIN is the GEacuteANT

Interfederation Service

bull  eduGAIN design principles bull  Low barrier to entry bull  No mandate to change local

standardsprocedures bull  Minimal central infrastructure

bull  Status June 2015 bull  IdPs 1257 bull  SPs 963

httpwwwedugainorg

httpstechnicaledugainorgstatusphp

Page 80

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

Enabling Interfederation in the Resource Registry

7

httpswwwswitchchaaiinterfederation

Prerequisite Due to data protection considerations each institution needs to sign the SWITCHaai Interfederation Access Declaration

SWITCH will enable the checkbox in the Resource Registry

copy 2015 SWITCH

Recommended Interfederation Attributes

8

Friendly name Defined in Example displayName eduPerson Peter Samplecommon name (cn) eduPerson Peter Samplemail eduPerson petersampleexampleorgeduPersonAffiliation eduPersonScopedAffiliation

eduPerson

staffstaffexampleorg

eduPersonPrincipalName eduPerson 234cd8z239exampleorgschacHomeOrganization SCHAC exampleorgschacHomeOrganizationType SCHAC urnschachomeOrganizationTypechuniversity

urnschachomeOrganizationTypeeuhigherEducationInstitution

eduPersonTargetedID Persistent Name ID

eduPerson httpsidpexampleorgidpshibbolethhttpsspexampleorgshibboleth 2389cdhu3e-sda7323

eduPerson httpwwwinternet2eduproducts-servicestrust-identity-middlewareeduperson-eduorg SCHAC httpswikirefedsorgdisplaySTANSCHAC+Releases

Page 81

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

Enabling Interfederation (2)

9

httpswwwswitchchaaiinterfederation

copy 2015 SWITCH

eduGAIN What is it and how does it work

bull  eduGAIN provides policy framework and standards to build trust bull  SPs and IdPs of participating federations should opt-in for eduGAIN

bull  Some federations decided for opt-out instead

bull  MDS fetches aggregates and republishes metadata

Code ofConduct

Attribute Profile

Metadata Profile

Web SSOProfile

eduGAIN Constitution

eduGAINDeclaration

Page 82

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

SWITCHaai Team aaiswitchch

Entity Categories GEacuteANT Data Protection CoCo and REFEDS Research amp Scholarship RampS

copy 2015 SWITCH

Outline bull Entity category

bull GEacuteANT Data Protection Code of Conduct (CoCo)

bull REFEDS Research amp Scholarship (RampS)

bull Attribute release in the Resource Registry

12

Page 83

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

Entity categories A generic method to enrich metadata bull Tag an entity (SP or IdP) as being part of a categorybull Requires a specification for international coherent use

bull  Criteriabull Purposebull Policiesbull Or other

In interfederation context bull Filling the gap of missing common policiesbull Support or increase scalable trust

13

copy 2015 SWITCH

Metadaten

14

Page 84

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct

bull  The method is based on the EU Data Protection directivesbull  The SP has to provide a Privacy Policy (in English according to the guideline)bull  That will encourage the Home Organisation IdP to release attributes attribute release will scale

Increase the trust in Service Providers (SPs)

Commit to

Commit to

SP

SP

SP Commit to

HO

HO

HO Learn SPrsquos commitment

Learn SPrsquos commitment

Learn SPrsquos commitment GEacuteANT Data

protection Code of Conduct

bull  Data Protection Code of Conduct for SPs in EUEEAbull  Entity category attribute definition for the Code of Conductbull  SAML2 profile for the Data Protection Code of Conduct

Code of Conduct Toolkit

15

copy 2015 SWITCH

GEacuteANT Data Protection Code of Conduct bull Principles

bull  Legal compliancebull  Purpose limitationbull  Data minimisationbull  Deviating purposesbull  Data retentionbull  Third partiesbull  Security measuresbull  Information duty towards end userbull  Information duty towards home organizationbull  Security breachesbull  Liabilitybull  Transfer to third countriesbull  Governing law and jurisdictionbull  Eligibility to executebull  Termination of the Code of Conductbull  Survival of the clausesbull  Precedence

16

Page 85

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

Data Protection Code of Conduct (DP CoCo)

Normative documents bull  Data Protection Code of

Conduct for SPs in EUEEAbull  Entity category specification

for the DP CoCobull  SAML2 profile for the DP CoCo

Non-normative informational documents bull  Introductionbull  Introduction to the DP directivebull  Managing DP risks using CoCobull  Privacy policy guidelines for SPsbull  What attributes can an SP requestbull  DP good practice for Home Organisations bull  Federation operator guidelinesbull  Handling non-compliancebull  IdP informconsent GUI guidelines

17

httpwwwgeantneturidataprotection-code-of-conductv1

httpswikirefedsorgdisplayCODEData+Protection+Code+of+Conduct+Home

httpswikiedugainorgData_Protection_Code_of_Conduct_Cookbook

Cookbook for DP CoCo

copy 2015 SWITCH

Privacy policy template bull Name of the servicebull Description of the servicebull Data controller and a contact personbull Jurisdictionbull Personal data processedbull Purpose of the processing of personal databull Third parties to whom personal data is disclosedbull How to access rectify and delete the personal databull Data retentionbull Data Protection Code of Conduct

18

Page 86

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

REFEDS Research amp Scholarship bull RampS SPs support

bull  Research amp scholarship interactionbull  Collaborationbull  Management

bull No SPs from publishersbull Attributes

bull  Personal identifiers email person name eduPersonPrincipalName

bull  Pseudonymous identifier eduPersonTargetedIDbull  Affiliation eduPersonScopedAffiliation

bull  Minimal subset eduPersonPrincipalName mail person name

(person name = given name + surname OR displayName)

19

copy 2015 SWITCH

Comparison

20

REFEDS RampS GEacuteANT DP CoCo

Global Mainly Europe

Common purpose of the SPs

Common data protection standards

Fixed set of attributes SP can require any attributes

Page 87

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

SWITCHaai Team aaiswitchch

$WWULEXWH5HOHDVHampRQILJXUDWLRQ+RZDWWULEXWHVDUHUHOHDVHG

copy 2015 SWITCH

Attribute Release Rules

2

Page 88

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

Attribute Release Settings (1)

3

Res

ourc

e R

egis

try ndash

E

dit H

ome

Org

aniz

atio

n D

escr

iptio

n ndash

Attr

ibut

e R

elea

se S

ettin

gs

copy 2015 SWITCH

Attribute Release Settings (2)

4

Page 89

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

Overview of Log Files

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

Apache log files

Logfiles  errorlog

 aai-loginexampleorgerrorlog LogLevel in etcapache2apache2conf (default bdquowarnldquo)

 accesslog aai-loginexampleorgaccesslog

Location varlogapache2Configuration defined in the virtual host definition

 dir etcapache2sites-available  file aai-loginexampleorgconf

2

Page 90

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

Tomcat log files

 catalinaout console output (Systemerrout) from Tomcat  default Logging location varlogtomcat7 Config in etctomcat7loggingproperties

  FileHandlerlevel INFO SEVERE WARNING INFO CONFIG FINE FINER FINEST or ALL

 localhostYYYY-MM-DDlog

 access information associated with a request (ip address time request method(GET or POST)

 default Logging location varlogtomcat7 Config etctomcat7serverxml (output dir and name)

3

copy 2015 SWITCH

Shibboleth log files (1)

 logging implementation called Logback  Log4j successor  Manual

o httplogbackqoschmanualindexhtml

 Reloadability   log level change without restart the idp  servicesproperties

  entry idpserviceloggingcheckInterval = PT5M

 Automatic Email Alerts on Error 4

Page 91

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

Shibboleth log files (2)

 Location optshibboleth-idplogs

 three classes of log files produced by default  Diagnostic general audit and consent audit logs

 idp-processlog detailed description of the IdP processing requests

 idp-warnlog filtered view of idp-processlog idp-auditlog general requestresponse auditing

records  idp-consent-auditlog user decisions over attribute

release and terms of use acceptance 5

copy 2015 SWITCH

Shibboleth log files (3)

 cfg optshibboleth-idpconflogbackxml 3 main classes Logger Appender (output

destination) and Layout  Default settings usually ok  Change it if required ie

o LDAP Auth Module or authentication events o new Logger or Appenderhellip

 Log messages have 5 levels TRACE DEBUG INFO WARN ERROR

 Logback handle rollover by default

6

Page 92

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

SMTPAppender in logbackxml

ltappender name=EMAILrdquo class=chqoslogbackclassicnetSMTPAppendergt ltsmtpHostgtlocalhostltsmtpHostgt lttogtstaff1exampleorglttogt ltfromgtidp_hostexampleorgltfromgt ltsubjectgtTESTING logger20 - mltsubjectgt ltlayout class=chqoslogbackclassicPatternLayoutgt ltpatterngtdate -5level logger35 - messagenltpatterngt ltlayoutgtltappendergtltroot level=DEBUGgt ltappender-ref ref=IDP_PROCESSgt ltappender-ref ref=IDP_WARN gt ltappender-ref ref=EMAIL gtltrootgt

httplogbackqoschmanualappendershtml7

copy 2015 SWITCH

Hands On 1

Why is Tomcat not starting up

1  edit etctomcat7serverxml and insert listener in Server Element (wrong class)

  lt Listener className=orgapachecatalinafilter gt

2  Restart Tomcat 3  Look at varlogtomcat7catalinaout

  find the entry javalangClassNotFoundException

4  Remove listener from serverxml and restart Tomcat

8

Page 93

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

Hands On 2

9

 Find out why not all of the attributes appear

copy 2015 SWITCH

Hands On II

1  cd optshibboleth-idpconf2  edit ldapproperties and insert wrong value

  Change entry idpattributeresolverLDAPsearchFilter to value (uid=$requestContextName)

3  edit logbackxml   set log level to DEBUG for logger orgldaptiveauthAuthenticator  insert additional logger for the attribute resolver

ltlogger name=netshibbolethidpattributeresolver level=DEBUGgt

4  Restart Tomcat and log in to the IdP (AAI Demo Service) 5  Look at the idp-processlog and find the log entries -

[orgldaptiveauthAuthenticator284] [netshibbolethidpattributeresolverdcldapimplTemplatehellip203]

6  Undo wrong value set $requestContextprincipalName and restart Tomcat

10

Page 94

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

Reloading the Configuration New options with IdPv3

SWITCHaai Team aaiswitchch

copy 2015 SWITCH

bull only supported in a limited way ndash by setting the configurationResourcePollingFrequency attribute of one these services to a short value ndash attribute resolver (attribute-resolverxml) ndash attribute filtering engine (attribute-filterxml) ndash profile handler manager (handlerxml) ndash relying party configuration manager (relying-partyxml)

bull potentially dangerous when repeated reload attempts fail (by default configurationResourcePollingRetryAttempts is only set to 3 after which reloading stops)

bull no option to explicitly trigger a reload so only achieved by a relatively awkward constantly-watch-for-file-changes check

Reloading the configuration with v2

2

Page 95

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

bull  reload is explicitly triggered by calling two special-purpose admin flows which are configured under httpsaai-loginexampleorgidpprofileadminreload-serviceid=bean-id httpsaai-loginexampleorgidpprofileadminreload-metadataid=md-id

bull  available bean IDs for service reloads see $ grep bean id=class optshibboleth-idpsystemconfservices-systemxml and the corresponding resource lists in servicesxml

bull  reloading metadata find the IDs with $ grep Providerid optshibboleth-idpconfmetadata-provider-xml

bull  by default access to the reload- URLs is restricted to localhost (and if access-controlxml is configured as suggested in the SWITCH installation guide to the AAI Resource Registry)

bull  two reload scripts get installed under optshibboleth-idpbin and serve the same purpose depend on JAVA_HOME being set and a proper -u argument being specifiedhellip requesting the respective URL with curl seems more straightforward

New reloading options with v3

3

copy 2015 SWITCH

shibbolethLoggingService logging configuration reload (logbackxml) shibbolethAttributeFilterService attribute filter reload shibbolethAttributeResolverService reloads attribute and data connector

definitions (attribute-resolver-xml files) shibbolethNameIdentifierGenerationService reloads the configuration in

the saml-nameidxml file shibbolethRelyingPartyResolverService reloads relying-partyxml and credentialsxml

shibbolethMetadataResolverService reloads the metadata list specified in servicesxml

shibbolethReloadableAccessControlService reloads the configuration in the access-controlxml file

Missing from this list an ID for reloading the shibbolethMessageSourceResources list ie the message text files under optshibboleth-idpmessages By default the IdP only caches these for five minutes however so they are reloaded automatically (see also idpmessagecacheSeconds in servicesproperties)

Available bean IDs for service reloads

4

Page 96

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

bull  the IdP v3 has switched to Velocity templates as the new default mechanism for rendering the login (and error) pages ndash edit the vm files under optshibboleth-idpviews and the

changes become effective immediately ndash say goodbye to container restarts (Tomcat) which was required

when JSP files were changed with the IdP v2

And restartless login page editing too

5

copy 2015 SWITCH

bull  changes to the contents of servicesxml ie changes to the ltutillistgt elements themselves (such as adding an additional attribute-resolver-xml file)

bull  changes to globalxml (SQL data source HTTP client settings) bull  changes to the authentication configuration such as

LDAP parameters etc bull  changes to optshibboleth-idpedit-webapp files

(need buildsh to be run first followed by a container restart) bull and a few more of coursehellip but under normal operating

conditions such reconfigurations relatively rarely occur

Still requiring a restart with v3

6

Page 97

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

bull  try reloading a couple of the services listed on slide 4 curl httpsaai-loginexampleorgidpprofileadminreload-serviceid=hellip

bull check what happens when specifying invalid bean IDs bull  insert a syntax error into a configuration file and try

reloading the corresponding service bull entries in idp-auditlog just record reload events with hellip||||httpshibbolethnetnsprofilesreload-metadata|||||||| hellip||||httpshibbolethnetnsprofilesreload-service-configuration||||||||

How can you determine what id= argument was supplied bull what is an easy method to quickly print the currently

running IdP and Java version details to idp-processlog

(Ideas for) hands-on exercises

7

Page 98

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

SWITCHaai Team aaiswitchch

New Challenges with Interfederation SPs

Interfederation unites various cultures

copy 2015 SWITCH

Goals bull  Get an idea of why access to an interfederated SP

might fail differently than in SWITCHaai

bull  Understand what is different regarding bull  Opt-in vs opt-out bull  Metadata bull  Discovery Service bull  Attributes

bull  Know whom to contact and where to get help

2

Page 99

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

Interfederation Rollout Opt-in vs Opt-out bull  Opt-in

bull  IdPs and SPs decide when they are ready to interfederate bull Once the configuration is up-to-date

bull  Interfederation Metadata gets loaded bull  IdP Additional attributes user consent bull  SP Discovery Service attribute mapping access rules

⊖  Slow process oplus  Entities unlikely to cause interoperability problems

bull  Opt-out bull  Federation announces a flag day for enabling interfederation

bull  IdPs and SPs need to opt-out before bull  if they do not want to participate bull  if they are not ready yet

oplus  Quick adoption ⊖  More likely that entities cause problems

unless they opted-out in before the flag day

3

Opt-in

Opt-out

copy 2015 SWITCH

Three Examples 1)  UK Data Archive

httpwwwdata-archiveacuk 2)  FUNET FileSender

httpsfilesenderfunetfi 3)  Wiseflow

httpseuropewiseflownet

What is wrong in these examples 1)  Unclear use of terminology at the SP to know whether interfederation is

supported or not Central discovery service of the UK Federation lists all interfederated IdPs also if the service did opt-out

2)  eduGAIN shown as an option but no IdPs available that are interfederated via eduGAIN

3)  eduGAIN is not available as an option to pick from despite the SP is published to eduGAIN

4

Page 100

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

Metadata bull  Interfederated IdPs and SPs need additional metadata

bull  SWITCHaai entities configure an additional metadata source signed with the same trust anchor

bull  Opt-out federations integrate all entities into a single metadata file

bull  Propagation speed of metadata changes bull  In SWITCHaai two hours bull  For interfederation one to a few days

bull  Possible issue bull  SP does not load interfederation metadata

bull SP does not know the IdP and fails

5

ltmetagtltdatagt

copy 2015 SWITCH

Discovery Service (DS) bull  Within SWITCHaai

users easily find their IdP

bull  An SP needs a DS that knows the appropriate set of IdPs bull  An interfederation enabled SP registered in SWITCHaai

It needs to deploy a DS that includes interfederation bull  Eg in the UK Federation the central DS lists always all interfederated

IdPs also for SPs that did opt-out bull That can result in this error message at your IdP

Shibboleth SSO profile is not configured for relying party httpsspexampleorgshibboleth-sp

6

Page 101

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

Attributes bull  Missing attributes cause interoperation problems

bull  Check SPs attribute requirements in the Resource Registry bull  Verify that attributes were released (in IdPs auditlog)

bull  If NO check your IdPs attribute release policy bull  If YES

bull  Were all required attributes released bull  If YES SP has to check it out why it fails bull  If NO review your attribute release policy

bull  Another issue bull  An SP failed because it was not able to decrypt the SAML assertion

that included the attribute values The SPs federation used only signed but not encrypted SAML assertions so that problem was not discovered earlier

7

copy 2015 SWITCH

Exploring interfederated entities bull  Is a universitys IdP or an SP already interfederated

bull  go to httpstechnicaledugainorgstatusphp bull  pick the country where the entity might be registered bull  under Metadata URL click on validate this metadata set then on show entities list

bull  or search it in the eduGAIN List of Entities bull  go to httpstechnicaledugainorgentitiesphp

bull  or try the Is Federated Checker bull  go to httpswikiedugainorgisFederatedCheck bull  provide email addresses or domain names

bull  Additional web pages of interest bull  Which interfederated SPs are committed to the

GEANT Data Protection Code of Conduct (CoCo) bull  go to httpmonitoredugainorgcoco

bull  REFEDS Metadata Explorer Tool (MET)

bull  go to httpsmetrefedsorg

8

Page 102

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation

copy 2015 SWITCH

Troubleshooting interfederated entities bull  Find an SP in the Resource Registry

bull  go to httpsrraaswitchch bull  pick Search for resources bull  pick interfederation

bull  or search it in the metadata file bull  optshibboleth-idpmetadatametadatainterfederation-spsxml

bull  Contact the SWITCHaai Team  aaiswitchch

9

Page 103

• ToC
• Content
• • P02-IdPv3_upgrade_general_observations
  • P03-Test of the VM Images
  • P04-Configuration-Pattern-of-IdPv3
  • P05-User-Authentication
  • P06-Login_Form_Customization
  • P07_attribute_resolver
  • P08-IdPv3_persistent_id_migration
  • P09_user_consent
  • P10-Upgrade-within-the-IdPv3-Release
  • P12-Update the IdP entry
  • P13-Clustering-IdPs
  • P14-Interfederation Option
  • P15-Attribute Release Config
  • P16-IdP-Log_Files
  • P17-IdPv3_reload_options
  • P18-New Challenges with Interfederation