Shibboleth @ NTU

Download Report

Transcript Shibboleth @ NTU 

Shibboleth @ NTU
Francis Lowry
Information Systems
Nottingham Trent University
[email protected]
Overview
• What is Shibboleth
• Federated Identity
• Shibboleth @ NTU
• Technical requirements and resources
• Installation files and documentation
06 July 2015
2
What is (isn’t Shibboleth)
• A Web Single-Sign-On System (SSO) ?
• An Access Control Mechanism for Attributes ?
• A Standard Interface and Vocabulary for Attributes?
• A Standard for adding Authentication and Authorisation to
Applications?
Shibboleth is a mechanism for binding all these things together!
It is an Authentication and Authorisation framework for delivering
secure, anonymised access to web based resources and services.
06 July 2015
3
Shibboleth Components
• Identity Provider (IdP)
– Authentication mechanism
– Attribute Repository (e.g. Active Directory, LDAP or database)
• Service Provider (SP)
–
–
–
–
–
Web Server
Protects Shared Resources
Determines if authentication is required
Requests attributes from an IdP for consumption by SP
Optional component
• Where are you from (WAYF)
– Gateway which allows users to say where they should be authenticated.
– Usually maintained by Federation.
06 July 2015
4
Shibboleth Federation
Federated Identity
• A Federation is a legal / quasi legal agreement between a group of
organisations who agree to a "circle of trust" for members that want
to access a set of resources.
• There is an agreed minimal set of base ‘Attributes’ which members
of a Federation agree to provide to each other.
• These ‘Attributes’ form the basis under which resources are released
i.e. Staff, Student, Organisation …
• UK Access Management Federation (operated by JISC and BECTA)
(http://www.ukfederation.org.uk/)
06 July 2015
5
Shibboleth - AuthN & AuthZ
• Shibboleth IdP
Authentication (AuthN)
– You are who you say you are
– Connects via local SSO to internal directory and verifies logon credentials
– Releases attributes to SP
• Shibboleth SP
Authorisation (AuthZ)
– Access to resources based on attributes required by resource
06 July 2015
6
Shibboleth Attributes
• UK Federation uses a subset of the EduPerson schema to define the
core attributes required for membership.
• You can either add the schema to your Active Directory & then
maintain the attributes separately, or map the attributes to existing
elements within AD.
• The mappings of the source for these attributes is maintained within
the IdP, and attributes can come from various sources.
• The attributes, or combination of attributes are used to define if
resources are released to a user by an SP.
06 July 2015
7
What can we do with Shibboleth
• Intra-realm authentication (e.g. intranet, local web-based
applications)
• Accessing shared resources between partner institutions
– A local federation; universities, colleges, schools
– E.g. KC-Rolo Project, http://www.kidderminster.ac.uk/kc-rolo/. Moodle
integration
• Participation in a National or International federation
– UK Access Management Federation (operated by JISC and BECTA)
(http://www.ukfederation.org.uk/)
– SWITCHAAI
– InCommon
06 July 2015
8
JISC @ NTU
• East Midlands Shibboleth Service.
– Explored setting up a central Identity Provider (IdP) for the east midlands.
– Proposal was not viable for a number of technical, security and business process
reasons.
• Nottingham RIPPLL Project.
– Partnered with Nottingham University to model transfer of Personal
Development Portfolio (PDP) data using the UKLeap XML format.
– Successful sub-project to use Shibboleth to allow for remote referencing of PDP
data using web services.
• Shibboleth Protected CV Builder service for the East Midlands
– 2 Year project partnering with West Nottinghamshire College and New College
Nottingham to set up and test a CV Builder service on top of Shibboleth using
Web Services to reference remote data in real time.
06 July 2015
9
Shibboleth on Windows
• East Midlands Shibboleth Service.
– One of the core constraints of this project was to build it, as far as possible,
using Windows Technologies.
• Problems:
– Staff in the team were all windows technologists – not open source.
– At the time of development all documentation was aimed at supporting the
Open Source community.
– Documentation was written with assumptions that user was knowledgeable
perhaps even an expert in Java, Tomcat, Apache etc.
– Shibboleth documentation was not consistent.
06 July 2015
10
NTU Initial technical work
• Main time was spent on:
– Understanding what Shibboleth was
– Translating / converting the documentation to ‘Windows Speak’
• After several months of pain, we finally managed to get an IdP
working. Then K.U.Leuven in Belgium (http://shib.kuleuven.be/)
published their work on Shibboleth on Windows.
• This work included a full installation script to allow an institution to
install a Shibboleth IdP relatively painlessly.
06 July 2015
11
Shibboleth pre-requisites
• Local Web single sign-on framework which supports the SAML
specification.
• Central authentication source e.g. LDAP / Active Directory.
• Attribute store e.g. LDAP / Active Directory / Database.
• SSL Certificates on IdP and SP.
• Specific ports open on firewall.
06 July 2015
12
Initial environment @ NTU
• No web single sign-on framework
– For simplicity we adopted CAS (http://www.ja-sig.org/wiki/display/CAS/Home)
– The K.U. Leuven install assumes a CAS installation.
• Single directory for authentication.
– Active Directory already in place.
• No Attribute store.
– Did not add EduPerson schema to AD
– Mapped core attributes defined in the Federation to existing Active Directory
entities.
06 July 2015
13
NTU Shibboleth Architecture
• 2 servers
– Shib-idp.ntu.ac.uk
– Shib-sp.ntu.ac.uk
• Dual processor machines, mirrored disks 2GB RAM, MS Windows
2003 Server
• IdP
–
–
–
–
Java
Tomcat
CAS server
Shibboleth
• SP
– IIS 6
– Shibboleth ISAPI filter
06 July 2015
14
Skills required
• Active Directory Administration
– CAS connector
– Attribute store
• Confidence to ‘hack’ xml configuration files
• Web Server administration knowledge
– SSL Certificates
• Knowledge of Java & Tomcat an advantage, but not a requirement
06 July 2015
15
Shibboleth IdP installation
• Organise all the prerequisites
–
–
–
–
SSL certificate for IdP server.
Java, Tomcat, CAS, Shibboleth PKI organisation.
Open ports through firewall.
Identify attribute source.
• Organise install as per K.U.Leuven instructions.
• Run install batch file.
06 July 2015
16
Potential problem areas
• SSL configuration with Java, Tomcat, CAS, and Shibboleth.
• Attribute mappings – where do you source the data from?
• Debugging Shibboleth errors can be problematic.
06 July 2015
17
Resources to assist you
• Installation download from K.U.Leuven (includes CAS)
• Shibboleth WIKI (https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/WebHome)
• Shibboleth@Internet2 (http://shibboleth.internet2.edu/support.html)
• NTU installation guide
– This was developed prior to the later K.U.Leuven installations. The installation
instructions no-longer match, however there is more background information on
the technologies and guidelines on how to set up a test IdP.
– The K.U.Leuven instructions automate the core of the install.
• CD
– Latest install set fro K.U.Leuven
– Docs from NTU.
– Presentation
06 July 2015
18
Any Questions
06 July 2015
19