myaccess workshop integrating with ucsf’s shibboleth system elliot kendall, its myaccess workshop...
TRANSCRIPT
![Page 1: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/1.jpg)
MyAccess Workshop
Integrating with UCSF’s Shibboleth system
Elliot Kendall, ITSMyAccess Workshop
July 16, 2007
![Page 2: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/2.jpg)
2
Introduction
• Elliot Kendall, ITS Identity and Access Management (IAM)
– Started at UCSF in July
– Previously ran web single-sign on at Emory and Brandeis
– Interested in Information Security and Systems Automation
• Please ask questions!
– You don’t need to wait until the end
– Please stop me if there’s something you want to ask
![Page 3: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/3.jpg)
3
What MyAccess does
• Single sign-on
– Enter your password once, access many resources
• User Information
– Tells the application the name, email address, etc. of the logged in user
• Federation
– Use your UCSF credentials to log into non-UCSF systems, and let others log into your systems
• Security
– Applications and sites don’t see your password, just that you are logged in
![Page 4: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/4.jpg)
4
MyAccess and Shibboleth
• MyAccess is UCSF-branded Shibboleth
– Shibboleth is an Internet2 project to support federated authentication among colleges and universities
• Shibboleth is an implementation of SAML
– Security Assertion Markup Language
– An XML-based protocol for federated authentication
• MyAccess works with Shibboleth or other SAML
– Most universities use Shibboleth, but we can integrate with anything that supports SAML
– This workshop will focus on Shibboleth
![Page 5: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/5.jpg)
5
Terms and concepts
• Identity Provider (IdP)
– What users log into
– Displays login page, validates username and password, looks up attributes about the user
– Tells SPs who is logged in
• Service Provider (SP)
– Protects an application or website
– Sends users to the IdP to authenticate
– Reads the attribute information from the IdP
![Page 6: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/6.jpg)
6
How it works
MyAccess (IdP)
PeopleSoft (SP)
User’s Browser
Visit PeopleSoft website
User is not logged in
![Page 7: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/7.jpg)
7
How it works
MyAccess (IdP)
PeopleSoft (SP)
User’s Browser
Redirect to IdP with encrypted SAML request
Visit IdP with encrypted SAML request from SP
![Page 8: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/8.jpg)
8
How it works
MyAccess (IdP)
PeopleSoft (SP)
User’s Browser
Display login page
![Page 9: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/9.jpg)
9
How it works
MyAccess (IdP)
PeopleSoft (SP)
User’s Browser
Send username and password
![Page 10: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/10.jpg)
10
How it works
MyAccess (IdP)
PeopleSoft (SP)
User’s Browser
Visit PeopleSoft website with encrypted SAML response from IdP
Redirect to PeopleSoft website with encrypted SAML response
SAML response is from a trusted IdP
![Page 11: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/11.jpg)
11
How it works
MyAccess (IdP)
PeopleSoft (SP)
User’s Browser
Return logged in PeopleSoft page
![Page 12: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/12.jpg)
12
Terms and concepts
• Metadata
– To communicate securely, the IdP and SP must have a copy of one another’s metadata
– Contains cryptographic public keys and URLs to redirect the user’s browser to
• Federation
– A group of organizations that wants to be able to cross-authenticate
– Essentially just a big collection of metadata
– UCSF is part of InCommon, a federation of US colleges, universities, and companies that work with them; and UCTrust, which includes all UC schools
![Page 13: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/13.jpg)
13
Hands on
• Setting up your own SP
– To integrate with MyAccess, you or your vendor needs to set up and configure an SP to talk to our IdP
– We’ll go through the process of a simple integration step by step, using the VMware image you received before class. This is a simplified example! Please do not use these instructions to set up a production SP!
• Warning: technical detail ahead!
– The VM is running Linux. You will need to use a command line interface, although we will tell you what to type. You will need to edit XML files, although we will provide detailed instructions
![Page 14: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/14.jpg)
14
Booting the VM
• If you have not already, please start the VM now
– Once it finishes starting up, log in with username root and password ucsf
– Run a terminal (second icon from the left at the bottom of the screen)
• This VM is running CentOS 5 (almost the same as RedHat Enterprise 5)
– No special configuration has been done. We’ll do everything necessary to integrate with MyAccess
– The steps are different for different operating systems, but the concepts are the same
![Page 15: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/15.jpg)
15
Installing Shibboleth
• Enable an external package repository
– In the terminal, type:
wget http://goo.gl/VNZNL -O /etc/yum.repos.d/shibboleth.repo
That’s goo.gl as as “Google”
• Install the Shibboleth SP packageyum –y install shibboleth
![Page 16: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/16.jpg)
16
Configuring Shibboleth
• Look at some configuration files
– Leave the terminal open, but start the text editor (to the right of the terminal icon)
– To open a file, go to File -> Open and start typing the name, or browse from File System under Places
– Open /etc/httpd/conf.d/shib.conf. This file controls how the Apache web server interacts with Shibboleth. Note the <Location> block that specifies that the /secure path will be protected. We don’t need to make any changes for this example.
– Open /etc/shibboleth/shibboleth2.xml. This file controls the guts of the SP. There’s a lot in here, but you don’t need to worry about most of it. Don’t be intimidated.
![Page 17: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/17.jpg)
17
Configuring Shibboleth
• Find <ApplicationDefaults entityID=
– For entityID, enter https://localhost/ followed by your AD username. For example, https://localhost/ekendall
• Find <SSO entityID=
– For entityID, enter:
https://idp-dev.ucsf.edu/idp/shibboleth
• Find <MetadataProvider type="XML" file=
– For file, enter idp-metadata.xml
– Remove the <!-- and --> lines just before and after
• Save the file
![Page 18: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/18.jpg)
18
Starting the SP
• Download a copy of the IdP metadatawget https://idp-dev.ucsf.edu/idp/shibboleth -O
/etc/shibboleth/idp-metadata.xml
• Start the SP and web server/etc/init.d/shibd start
/etc/init.d/httpd start
• Log into your SP
– Open Firefox (globe icon, second from the right)
– Navigate to https://localhost/secure/
• What happened?
– The IdP doesn’t have your SP’s metadata, so it doesn’t know where to send users after they log in
![Page 19: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/19.jpg)
19
Submitting your metadata
• Download a copy of your SP’s metadata
• Make sure you type “https” not “http”!wget --no-check-certificate
https://localhost/Shibboleth.sso/Metadata
• Submit it
– In Firefox, go to https://myaccess2-dev.ucsf.edu/workshop/
– Upload your Metadata file
• Wait
– It’ll take a few minutes for me to add all of your metadata to the IdP
![Page 20: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/20.jpg)
20
Logging in
• Let’s try it again
– In Firefox, go back to https://localhost/secure
– What happens this time?
![Page 21: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/21.jpg)
21
A production SP
• What would be different?
– Different path(s) protected in shibd.conf
– Different IdP – production, not dev
– (Maybe) load InCommon metadata, not just our IdP
– Automatically download and validate new metadata on a regular basis
– Modify your application to look at the REMOTE_USER environment instead of prompting for a username and password
– Maybe integrate with multiple IdPs so people from outside UCSF can log in
![Page 22: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/22.jpg)
22
Integration process
• See tiny.ucsf.edu/myaccess
• Highlights include
– Read and agree to division of responsibilities
– Determine what information you need about users
– Configure your SP
– Submit a formal request
– Wait for data owners to approve information release
– Communicate to your users
– Production deployment
![Page 23: MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007](https://reader034.vdocument.in/reader034/viewer/2022051820/56649e795503460f94b78e61/html5/thumbnails/23.jpg)
23
Questions?