shibboleth at the u of m christopher a. bongaarts code-people june 2, 2011
TRANSCRIPT
Shibboleth at the U of M
Christopher A. Bongaarts
code-people
June 2, 2011
CAH Retirement
• CAH slated to go away in October 2011
• Motivation:– IPv6 compatibility– Move to standards-based (SAML) solution
• CAH and Shib will do SSO between them until CAH is gone
What is Shibboleth?
• Software project sponsored by Internet2
• Implements SAML Web SSO Profile
• Two main packages:– Identity Provider (IdP – logs users in)– Service Provider (SP – uses login to do
something useful)
How does it work?
• User visits application web site (SP)• SP redirects user to IdP with SAML
AuthnRequest• IdP authenticates user, if necessary• IdP sends user back to SP with SAML
AuthnResponse– Authentication Assertion (data about login)– Attribute Assertion (data about user)
The Gory Details
It’s like CAH…
• User never gives credentials to SP
• Additional attributes can be returned
• Single sign-on
It’s different than CAH…
• No shared cookie– Allows non-umn.edu SPs– Logout works differently
• SSO still requires a trip to the IdP
• No free-for-all WEBCOOKIE method
• More complex protocol – need more than cookies + HTTPS to integrate
Our IdPs
• OIT/IDM runs production and test IdPs
• IdPs use production/test X.500 respectively
• Federated with InCommon
Integrating your application
• Best strategy: use Shib SP– Requires Apache or IIS– Usually easier to front app with Apache
than to directly embed SAML support in your app
– Can protect files, directories, or locations via server config or .htaccess
Integrating your application
• Best strategy: use Shib SP– Lazy sessions allow unauthenticated
browsing until login needed– Shib session can bootstrap app session– Standard builds available for Windows and
several Linux distros• Preinstalled on OIT Red Hat Linux VMs
Integrating your application
• Install and configure the Shib SP– Careful – lots of knobs, few need turning– Choose an appropriate entityID (see wiki)– Export metadata (generate, then hand edit)
• Submit an Access Request Form if you need nonpublic attributes
• Ask us to add your metadata to our test IdP
Integrating your application
• Access attributes– Environment variables (Apache)– HTTP headers (IIS or Apache)– REMOTE_USER
Converting from CAH to Shib
• Shib SP is drop-in replacement for mod_cookieauth– sets REMOTE_USER
• No ARF needed if you already get data from CAH
• Apps requiring M Key can use AuthnContext to ask for and check for it
Gotchas
• Shib signs/encrypts assertions– Uses certs in metadata to carry keys– Shib ONLY looks at keys, not rest of cert
• Ignores expiration• Doesn’t validate CA
– These are NOT the same certs/keys used for your browser-facing HTTPS port (443)
Gotchas
• entityID looks like a URL but isn’t– It’s a URI, being used as a name– Handy to use as URL sometimes
(metadata)– Use a domain you control to facilitate self-
managed metadata someday
Other SAML Implementations
• simpleSAMLphp (PHP)
• OIOSAML (Java)
• ADFSv2 (gateway to WS-*)– Preferred method for Sharepoint 2010
• WIF SAML extension (for .NET apps)– MSDN blog entry: http://z.umn.edu/3n3
• OpenAM - formerly OpenSSO
Federating your application
• Lets your app allow users to log in from other places
• Can do simple bilateral setups or get listed in a federation like InCommon (ask us)
• Use a federatable identifier instead of Internet ID or umnDID for primary key– eduPersonTargetedID– eduPersonPrincipalName (ID+scope e.g.
Looking Ahead
• Single logout support
• User consent for attribute release
• Self-managed metadata for departments
Resources
• U of M Shib wiki: https://wiki.umn.edu/ShibAuth
• Official Shib wiki: https://wiki.shibboleth.net/confluence/display/SHIB2/Home
• Shib mailing list: [email protected]
– Best place for general questions about Shib SP installation/configuration
– Guy who wrote it usually responds within 15 minutes. Not sure when he eats or sleeps.
