30
25 1 st St., Suite 104, Cambridge, MA 02141 | www.BioRAF Shibboleth SSO and Drupal Presented by Justin Ludwig (jludwig) at BADCAMP 2013

Shibboleth SSO and Drupal

  • Upload
    tamira

  • View
    43

  • Download
    0

Embed Size (px)

DESCRIPTION

Shibboleth SSO and Drupal. Presented by Justin Ludwig ( jludwig ) at BADCAMP 2013. Who is Justin Ludwig?. Drupal for about 6 years, when D5 was new. Resides in South Bay w/beautiful wife and adorable fur-baby. - PowerPoint PPT Presentation

Citation preview

Page 1: Shibboleth SSO and Drupal

25 1st St., Suite 104, Cambridge, MA 02141 | www.BioRAFT.com

Shibboleth SSO and Drupal

Presented by Justin Ludwig (jludwig) at BADCAMP 2013

Page 2: Shibboleth SSO and Drupal

Who is Justin Ludwig?

• Jludwig on drupal.org• Tech Virtuoso• Software Engineer @ BioRAFT

• Drupal for about 6 years, when D5 was new.• Resides in South Bay w/beautiful wife and

adorable fur-baby.• Musical family: lovers of Early Music, weird

music of today and everything in between.

Page 3: Shibboleth SSO and Drupal

What is ?

• “Preventing the next zombie apocalypse”• Entirely built using Drupal, SaaS model• Lab Safety, Compliance & Training Software• Comprehensive and efficient hazard tracking,

compliance management, & training delivery• In use at top tier research institutions, and at

top ten biotech & pharmaceutical companies

Page 4: Shibboleth SSO and Drupal

Shibboleth: A Brief History• A shibboleth (/ˈʃɪbəlɛθ/[1] or /ˈʃɪbələθ/)[2] is a word, sound, or

custom that a person unfamiliar with its significance may not pronounce or perform correctly relative to those who are familiar with it. It is used to identify foreigners or those who do not belong to a particular class or group of people. It also refers to features of language, and particularly to a word or phrase whose pronunciation identifies a speaker as belonging to a particular group.

• Gilead then cut Ephraim off from the fords of the Jordan, and whenever Ephraimite fugitives said, 'Let me cross,' the men of Gilead would ask, 'Are you an Ephraimite?' If he said, 'No,' they then said, 'Very well, say "Shibboleth" (שבלת).' If anyone said, "Sibboleth" (סבלת), because he could not pronounce it, then they would seize him and kill him by the fords of the Jordan. Forty-two thousand Ephraimites fell on this occasion. —Judges 12:5–6, NJB

• During World War II, some United States soldiers in the Pacific theater used the word lollapalooza as a shibboleth to challenge unidentified persons, on the premise that Japanese people often pronounce the letter L as R or confuse Rs with Ls; the word is also an American colloquialism that even a foreign person fairly well-versed in American English would probably mispronounce or be unfamiliar with.

Page 5: Shibboleth SSO and Drupal

JK, Rowling

Page 6: Shibboleth SSO and Drupal

A peek into the future

• What is single sign-on?

• What is Shibboleth? How does it work?

• SAML? IdP? SP? WTF?• Leveraging Drupal &

Shib_Auth.module• Resources

Page 7: Shibboleth SSO and Drupal

What is Single Sign-On and WHY?

• Single sign-on (SSO) allows a user to use a single username and password for multiple services.

• Easier for the end user.• Easier integration for staff.• Better security (when used properly).• The biggest reason…

Page 8: Shibboleth SSO and Drupal

Your Client Needs It!

• Higher Education, they use it.• Government, they use it.• Big corporations, they use it.• Non-Profits, they should be using it.

Page 9: Shibboleth SSO and Drupal

Your Client Needs It!

Page 10: Shibboleth SSO and Drupal

Just a little Jargon…

• Security Assertion Markup Language (SAML): Fast, secure, robust XML-based open-standard for SSO.

• Identity Provider (IdP): Authentication service; provide the user data.

• Service Provider (SP): Hosts the application that users wish to access.

Page 11: Shibboleth SSO and Drupal

Why Shibboleth?

• The most robust SAML implementation.

• Tried and tested.• Easy to use.

• Big community.• Open source.• Shib_Auth module.

Page 12: Shibboleth SSO and Drupal

How Shibboleth Works

1. User accesses protected resource.

Page 13: Shibboleth SSO and Drupal

How Shibboleth Works

2. The SP sends an authentication request to the IdP.

Page 14: Shibboleth SSO and Drupal

How Shibboleth Works

3. User authenticates to the IdP – Format of the request determined by config.

Page 15: Shibboleth SSO and Drupal

How Shibboleth Works

4. The IdP’s response is picked up at the ACS (Assertion Consumer Service) on the SP, which decodes it, does security checks, then creates a session for the user. Drupal then takes over.

Page 16: Shibboleth SSO and Drupal

POST Binding and Artifact Binding

• POST Binding: IdP returns POST that contains SAML Assertion to SP. No direct communication between IdP & SP.

• Artifact Binding:1. IdP saves SAML Assertion to session and

redirects user to SP w/Artifact in query string.2. SP requests SAML Assertion for Artifact from IdP3. IdP returns Assertion w/matching Artifact.4. SP validates assertion

Page 17: Shibboleth SSO and Drupal

Install and Configure Shibboleth

• Learn XML!• http://www.w3schools.com/xml/

• Other Prerequisites• Root access to the machine.• Network Time Protocol (NTP)• Basic understanding of SSL• Basic understanding of server configuration

Page 18: Shibboleth SSO and Drupal

Install and Configure Shibboleth

Follow an installation guide. ;)•https://wiki.shibboleth.net/confluence/display/SHIB2/Installation

• If not using an officially supported distro, check package management repo.• As always, Google is your friend.

Page 19: Shibboleth SSO and Drupal

A Little Configuration Jargon…

• EntityID: String used to identify your application across federation interactions.

• Metadata: What makes SAML work.

• Attributes: Info provided by the IdP. Configured in attribute-map.xml

Page 20: Shibboleth SSO and Drupal

Federations: No, you don’t need to wear the jumpsuit

• A group of IdPs and SPs that agree on a set of policies.

• Not 100% necessary, but greatly simplifies

integration w/other federation members, management decisions, etc.

Page 21: Shibboleth SSO and Drupal

Config Files Overview• /etc/shibboleth: Base

directory for Shib config• shibboleth2.xml: Most of the

SP’s config opts.• attribute-map.xml: Used to

translate attributes from SAML assertions.

• Metadata: SP and IdP/Federaltion exchange metadata and this makes SAML work.

• Usually generated to /Shibboleth.sso/Metadata.• A good base; invest in understanding contents.

Page 22: Shibboleth SSO and Drupal

Leveraging Drupal

Shibboleth authentication module•https://drupal.org/project/shib_auth•Big ‘Thank you’ to shafter, bajnokk, dorion, niff, and everyone else involved in the project.•14,955 downloads, thousands report using it.•4.x Branch for Drupal 6 and Drupal 7.– Backported to D5 if anyone needs it.

Page 23: Shibboleth SSO and Drupal

What shib_auth gives you• Automatic user creation and user login.

Page 24: Shibboleth SSO and Drupal

What shib_auth gives you• Automatic role assignment.

Page 25: Shibboleth SSO and Drupal

What shib_auth gives you• Account linking

Page 26: Shibboleth SSO and Drupal

What shib_auth gives you

• Logout Handling

Page 27: Shibboleth SSO and Drupal

Advanced Features in Shib_Auth

• User-defined usernames/e-mails• Auto-Login• Pre-creating Users• User Consent Forms• forceAuthn

Page 28: Shibboleth SSO and Drupal

Resources

• https://wiki.shibboleth.net/confluence/dashboard.action

• https://drupal.org/project/shib_auth• https://www.testshib.org/index.html• http://saml.xml.org/saml-specifications• https://wiki.shibboleth.net/confluence/

display/SHIB2/SecurityAdvisories• http://shibboleth.net/community/lists.html

Page 29: Shibboleth SSO and Drupal

A look to the past

• What is single sign-on?

• What is Shibboleth? How does it work?

• SAML? IdP? SP? WTF?• Leveraging Drupal &

Shib_Auth.module• Resources

Page 30: Shibboleth SSO and Drupal

Questions, comments, etc