Transcript Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011

Shibboleth at the U of M
Christopher A. Bongaarts
code-people
June 2, 2011
CAH Retirement
• CAH slated to go away in October 2011
• Motivation:
– IPv6 compatibility
– Move to standards-based (SAML) solution
• CAH and Shib will do SSO between
them until CAH is gone
What is Shibboleth?
• Software project sponsored by Internet2
• Implements SAML Web SSO Profile
• Two main packages:
– Identity Provider (IdP – logs users in)
– Service Provider (SP – uses login to do
something useful)
How does it work?
• User visits application web site (SP)
• SP redirects user to IdP with SAML
AuthnRequest
• IdP authenticates user, if necessary
• IdP sends user back to SP with SAML
AuthnResponse
– Authentication Assertion (data about login)
– Attribute Assertion (data about user)
The Gory Details
It’s like CAH…
• User never gives credentials to SP
• Additional attributes can be returned
• Single sign-on
It’s different than CAH…
• No shared cookie
– Allows non-umn.edu SPs
– Logout works differently
• SSO still requires a trip to the IdP
• No free-for-all WEBCOOKIE method
• More complex protocol – need more
than cookies + HTTPS to integrate
Our IdPs
• OIT/IDM runs production and test IdPs
• IdPs use production/test X.500
respectively
• Federated with InCommon
Integrating your application
• Best strategy: use Shib SP
– Requires Apache or IIS
– Usually easier to front app with Apache
than to directly embed SAML support in
your app
– Can protect files, directories, or locations
via server config or .htaccess
Integrating your application
• Best strategy: use Shib SP
– Lazy sessions allow unauthenticated
browsing until login needed
– Shib session can bootstrap app session
– Standard builds available for Windows and
several Linux distros
• Preinstalled on OIT Red Hat Linux VMs
Integrating your application
• Install and configure the Shib SP
– Careful – lots of knobs, few need turning
– Choose an appropriate entityID (see wiki)
– Export metadata (generate, then hand edit)
• Submit an Access Request Form if you
need nonpublic attributes
• Ask us to add your metadata to our
test IdP
Integrating your application
• Access attributes
– Environment variables (Apache)
– HTTP headers (IIS or Apache)
– REMOTE_USER
Converting from CAH to Shib
• Shib SP is drop-in replacement for
mod_cookieauth
– sets REMOTE_USER
• No ARF needed if you already get data
from CAH
• Apps requiring M Key can use
AuthnContext to ask for and check for it
Gotchas
• Shib signs/encrypts assertions
– Uses certs in metadata to carry keys
– Shib ONLY looks at keys, not rest of cert
• Ignores expiration
• Doesn’t validate CA
– These are NOT the same certs/keys used
for your browser-facing HTTPS port (443)
Gotchas
• entityID looks like a URL but isn’t
– It’s a URI, being used as a name
– Handy to use as URL sometimes
(metadata)
– Use a domain you control to facilitate selfmanaged metadata someday
Other SAML Implementations
• simpleSAMLphp (PHP)
• OIOSAML (Java)
• ADFSv2 (gateway to WS-*)
– Preferred method for Sharepoint 2010
• WIF SAML extension (for .NET apps)
– MSDN blog entry: http://z.umn.edu/3n3
• OpenAM - formerly OpenSSO
Federating your application
• Lets your app allow users to log in from
other places
• Can do simple bilateral setups or get listed
in a federation like InCommon (ask us)
• Use a federatable identifier instead of
Internet ID or umnDID for primary key
– eduPersonTargetedID
– eduPersonPrincipalName (ID+scope e.g.
[email protected])
Looking Ahead
• Single logout support
• User consent for attribute release
• Self-managed metadata for
departments
Resources
• U of M Shib wiki: https://wiki.umn.edu/ShibAuth
• Official Shib wiki:
https://wiki.shibboleth.net/confluence/display/SHIB2/Home
• Shib mailing list: [email protected]
– Best place for general questions about Shib
SP installation/configuration
– Guy who wrote it usually responds within 15
minutes. Not sure when he eats or sleeps.
Questions?
• Identity Management - [email protected]
• Or call Chris at 5-1809