shibboleth service provider workshop bart ophelders - philip brusten [email protected] june 2010

Shibboleth Service ProviderWorkshop

Bart Ophelders - Philip Brusten

[email protected] June 2010

2

Shibboleth Service provider workshop

• This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

http://creativecommons.org/licenses/by-sa/3.0/





3

Acknowledgements

• What's new in Shibboleth 2 – Chad La Joie• [SAMLConf]

http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf

• Liberty interoperability testing: http://projectliberty.org/liberty/liberty_interoperable/implementations

• Shibboleth 2.0 InstallFest Service Provider Material – Ann Arbor, MI

• SP Hands-on Session – SWITCH• https://spaces.internet2.edu/display/SHIB2

4

Program

• Introduction: “What is Shibboleth?”• Shibboleth 2.x: “What has changed?”• Concept of Federation• Resource Registry• A word on ADFS• Installation• Bootstrapping SP• Configuration

5

Introduction: “What is Shibboleth?”

• Quote from http://shibboleth.internet2.edu:

The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

http://shibboleth.internet2.edu/

6

Introduction: “What is Shibboleth?”

• Terminology

– Authentication: says who we are

– Authorization: says which resource we can access

– SP: Service Provider (Resource)

– IdP: Identity Provider (Home organisation)

– WAYF: Where Are You From

– DS: Discovery Service

7

Architecture Shibboleth v1.3

WAYF

User Agent/Browser

Identity Provider Webserver

Ide

ntit

y P

rovi

de

r

Service Provider

Webserver

Sh

ibb

oleth

m

od

ule

x

Shibboleth service

Components:

Identity Provider (IdP) – Service Provider (SP) – Where Are You From (WAYF) – User Agent (UA)

HTTP redirectHTTP interaction

8

Service Provider

Webserver

Sh

ibb

oleth

m

od

ule

x

Shibboleth service


Identity Provider

WAYF

User Agent/Browser

Webserver

Ide

ntit

y P

rovi

de

r

SAML1.1 profile: Browser/Artifact

Initial request from UA to document X

No active Shibboleth session, UA redirected to WAYF


9

Service Provider

Webserver

Sh

ibb

oleth

m

od

ule

x

Shibboleth service


Identity Provider

WAYF

User Agent/Browser

Webserver

Ide

ntit

y P

rovi

de

r

WAYF asks UA to choose an IdP (if not already set in cookie)

Redirect UA to selected IdP


10

Service Provider

Webserver

Sh

ibb

oleth

m

od

ule

x

Shibboleth service


Identity Provider

WAYF

User Agent/Browser

Webserver

Ide

ntit

y P

rovi

de

r

IdP prompts the UA for credentials (Username/Password, x509, digipass, etc).

IdP uses backend to verify credentials (LDAP, ADDS, SQL, etc)


11

Service Provider

Webserver

Sh

ibb

oleth

m

od

ule

x

Shibboleth service


Identity Provider

WAYF

User Agent/Browser

Webserver

Ide

ntit

y P

rovi

de

r

IdP resolves attributes for the authenticated principal and creates SAML assertion (authentication & attribute statement)

Redirects UA with references to these assertions (Artifacts).


12

Service Provider

Webserver

Sh

ibb

oleth

m

od

ule

x

Shibboleth service


Identity Provider

WAYF

User Agent/Browser

Webserver

Ide

ntit

y P

rovi

de

r

Shibboleth service or daemon dereferences the Artifacts on a secure backchannel with SSL mutual authentication.Invisible for the UA.


13

Service Provider

Webserver

Sh

ibb

oleth

m

od

ule

x

Shibboleth service


Identity Provider

WAYF

User Agent/Browser

Webserver

Ide

ntit

y P

rovi

de

r

The Shibboleth service verifies and filters the information and gives it to the Shibboleth module (via RPC or TCP).The Shibboleth module or Webserver will authorise the principal.


14

Service Provider 2

Webserver

Sh

ibb

oleth

m

od

ule

x

Shibboleth service


Identity Provider

WAYF

User Agent/Browser

Webserver

Ide

ntit

y P

rovi

de

r

The active sessions with every component will provide the single sign-on experience.


15

Program


16

Shibboleth 2.x: “What has changed?”

• General– SAML2 protocols

• Authentication Request Protocol (SP initiated)– Force re-authentication– Passive authentication

• Assertion Query and Request Protocol• Artifact Resolution Protocol• Single Logout Protocol (Not supported by the IdP yet)• NameID Management Protocol• NameID Mapping Protocol

– Encryption and signing of sensitive information– Distributed configuration (pull)

• Federation Metadata• Attribute-map• Attribute-filter

17


• Identity Provider– Own authentication modules

• LDAP• Kerberos• IP-based• PreviousSession (SSO)• REMOTE_USER (cfr. CAS)

– No SAML2 force authentication

• Very flexible attribute resolving• Very flexible attribute filtering (with constraints)• Clean audit logs• etc

18


• Discovery Service– Successor of WAYF– SAML2 Identity Provider Discovery Profile– Multi-federation support

19


• Service Provider– Multi-protocol support– New attribute filtering policy language– Support for ODBC based storage of state– Significant performance improvements

20

Service Provider

Webserver

Sh

ibb

oleth

m

od

ule

x

Shibboleth service

Architecture Shibboleth v2.x

Identity Provider

DS

User Agent/Browser

Webserver

Ide

ntit

y P

rovi

de

r

SAML2.0 profile: Web browser SSO + HTTP POST binding

Initial request from UA to document X

No active Shibboleth session, UA redirected to DS


21

Service Provider

Webserver

Sh

ibb

oleth

m

od

ule

x

Shibboleth service


Identity Provider

DS

User Agent/Browser

Webserver

Ide

ntit

y P

rovi

de

r

DS asks UA to choose an IdP (if not already set in cookie)

Redirect UA back to SP with selected IdP as parameter.


SP takes back control

22

Service Provider

Webserver

Sh

ibb

oleth

m

od

ule

x

Shibboleth service


Identity Provider

DS

User Agent/Browser

Webserver

Ide

ntit

y P

rovi

de

r

SP sends SAML Authentication request to the IdP. IdP prompts the UA for credentials, if necessary.

IdP uses backend to verify credentials (LDAP, ADDS, SQL, etc)


23

Service Provider

Webserver

Sh

ibb

oleth

m

od

ule

x

Shibboleth service


Identity Provider

DS

User Agent/Browser

Webserver

Ide

ntit

y P

rovi

de

r

The IdP resolves and filters the principal’s attribute information and constructs a SAML assertion. This assertion can optionally be signed and/or encrypted. Next, the IdP POSTs a response to the SP.


SAML response• Authentication statement• Attribute statement

24

Service Provider

Webserver

Sh

ibb

oleth

m

od

ule

x

Shibboleth service


Identity Provider

DS

User Agent/Browser

Webserver

Ide

ntit

y P

rovi

de

r

The Shibboleth service decrypts, verifies and filters the response and gives it to the Shibboleth module (via RPC or TCP).The Shibboleth module or Webserver will authorise the principal.


No callback!

25

Service Provider 2

Webserver

Sh

ibb

oleth

m

od

ule

x

Shibboleth service


Identity Provider

DS

User Agent/Browser

Webserver

Ide

ntit

y P

rovi

de

r

Again, the active sessions with every component will provide the single sign-on experience.


26

Program


27

Concept of Federation

• Group of entities, both IdPs and SPs.• Can map on existing Associations (e.g.: BELNET,

Associatie K.U.Leuven, K.U.Leuven, etc)

K.U.Leuven

App X

App Y

App Z

K.U.Leuven

Toledo

…

App Z

…

W&K

Federation K.U.Leuven Federation Associatie K.U.Leuven

28

Concept of Federation

• Benefits– Scalable– Simplifies things– WAYF service (IdP discovery)

• Metadata– Describes entities (protocol support, contact information, etc)– PKI management– Trust

• Since Shibboleth v2.x = single point of trust

– Digitally signed– http://shib.kuleuven.be/download/metadata

http://shib.kuleuven.be/download/metadata

29

Program


30

Resource Registry

• Metadata management tool– Based on open source from SWITCH and modified by INTIENT

and K.U.Leuven

• Adapted for K.U.Leuven• Multi-federation support• Identity Provider 1-many link• Service Provider 1-many link

31

Resource Registry

32

Resource Registry

• For now only internal use• In a later stage available for:

– Resource Registry Administrators• To approve resources from a certain IdP

– Resource Administrators• For administering SP information (self-service)

– Home Organisation Administrators• For administering IdP information (self-service)

– Federation Administrators• Signing metadata file

• Roles can be assigned independently

33

Resource Registry

• Currently hosting:– Federation K.U.Leuven– Federation Associatie K.U.Leuven– Federation K.U.Leuven – UZLeuven– Test federation K.U.Leuven

34

Program


35

A word on ADFS

• Active Directory Federation Services v1– Part of Microsoft Windows Server 2003 R2– WS-Federation Passive Requester Profile (WS-F PRP)– Shibboleth v1.3 has implemented

“WS-Federation: Passive Requestor Interoperability Profile” specification for both IdP & SP

– Two ways of working• NT-Token based• Claim based

36

A word on ADFS

• E.g. Implementation at K.U.Leuven

IdP K.U.Leuven Webserver

Ide

ntit

y P

rovi

de

r

FS

Account partners

K.U.Leuven

Resources

- OWA

- EVault

- Sharepoint

- etc

TRUST OWA

EVault

Sharepoint

TRUST

TRUST

TRUST

ADFS Web Agents

37

A word on ADFS

38

A word on AD FS 2.0

• Version 2.0• Officially released on 5 May 2010• Windows Server 2008 and Windows Server 2008 R2• Only claims based• Compatible with ADFS v1.0• Liberty Interoperable Implementation Tables• SAML2.0 operational modes:

– IdP lite– SP lite

39

A word on AD FS 2.0

40

A word on AD FS 2.0

41

A word on AD FS 2.0

5) Use claims in token

Identity Providers

STS

Internet

Windows Live ID

Other

User

2) Select an identity that matches those

requirements

1) Access application and

learn token requirements

CardSpace 2.0

Application

WIF4) Submit

token

Token

3) Authenticate user and get token for selected identity

Token

STS

Browser or Client

Shamelessly copied from David Chappell’s presentation at TechEd 2009

42

Program


43

Environment

• RedHat Enterprise Linux 5.5 (Tikanga)

• Debian 5.0 (Lenny)

• Windows Server 2008 R2

• Username: “shib” / “root”• Passwords: “P@ssw0rd”• Remote Access

– Linux: ssh– Windows: Remote desktop

44

Environment

• RedHat Enterprise Linux 5.5 (Tikanga)– 8 virtual machines– DNS: worksh-rh-N.cc.kuleuven.be– IP: 10.2.4.N

• Debian 5.0 (Lenny)– 4 virtual machines– DNS: worksh-db-N.cc.kuleuven.be– IP: 10.2.4.2N

• Windows Server 2008 R2– 10 virtual machines– DNS: worksh-w8-N.cc.kuleuven.be– IP: 10.2.4.4N + 10.2.4.50

45

Environment

• Shibboleth IdP– DNS: worksh-idp.cc.kuleuven.be– IP: 10.2.4.9– https://worksh-idp.cc.kuleuven.be/idp/status

(only accessible through VMs: 10.2.4.0/24)

https://worksh-idp.cc.kuleuven.be/idp/status

https://worksh-idp.cc.kuleuven.be/idp/status

46

Environment

• Shibboleth standard basehttp://shib.kuleuven.be/ssb_sp.shtml

• $WORKSH_HOST = worksh-[rh|db|w8]-N.cc.kuleuven.be

http://shib.kuleuven.be/ssb_sp.shtml

47

Environment

• Key/Certificate generation - We’ve done it for you – Webserver

• Located at $PKI• Signed by TerenaSSL CA

– Shibboleth SP• Self-signed• worksh-idp.cc.kuleuven.be:

/home/shib/ShibbolethSPWorkshop/certificates/shibboleth-sp• Certificate: sp-[rh|db|w8]-N-cert.pem• Key: sp-[rh|db|w8]-N-key.pem• Save at $PKI

• Test certificates

openssl x509 –in $cert –issuer –noout

48

SSL certificates

• Use of self-signed certificates in backend– No need for commercial certificates– Longer lifetime– No truststore to maintain for commercial CAs– Revocation (just remove certificate)– Trustbase of commercial signed certificates can become quite

large– Separate certificate for front- and backend

49

Environment

• Tools– An absolute must: Syntax friendly editor

• RHEL: vim• Debian: vim

• Windows: notepad++ or SciTE

– HTTP client• RHEL: links• Debian: links• Windows: local browser

– SCP or WinSCP

• Check your time now!• Always work case sensitive!

$ apt-get install vim

50

Installation - Overview

IIS ApacheShibbolethservice

mo

d_

auth

mo

d_

shib

mo

d_

ssl

...

Shibboleth handler/Shibboleth.sso

ISAPI filter Shibboleth

RPC port 1600 Unix socket

Shibboleth handler/Shibboleth.sso

51

RHEL webserver

– DocumentRoot: /var/www/html ($DOCROOT)– Configuration: /etc/httpd– Logs: /var/log/httpd ($WEB_LOG)– ServerName

– Start/Stop service

$ yum install httpd mod_ssl php

$ service httpd start$ service httpd statushttpd (pid ####) is running…

$ vim /etc/httpd/conf/httpd.confLine 265:

ServerName $WORKSH_HOST

52

RHEL webserver

• Prepare test application$ mkdir /var/www/html/secure$ vim /var/www/html/secure/index.php

<?phpheader('Location: https://'.$_SERVER['SERVER_NAME'].'/Shibboleth.sso/Session');

?>

53

RHEL webserver - SSL

$ vim /etc/httpd/conf.d/ssl.conf

$ service httpd configtest$ service httpd restart$ openssl s_client –connect localhost:443

SSLCertificateFile /etc/pki/$WORKSH_HOST.pemSSLCertificateKeyFile /etc/pki/$WORKSH_HOST.keySSLCertificateChainFile /etc/pki/terenasslchain.crt

54

Debian webserver

– DocumentRoot: /var/www ($DOCROOT)– Configuration: /etc/apache2– Logs: /var/log/apache2 ($WEB_LOG)– ServerName

– Start/Stop service

$ apt-get install libapache2-mod-php5

$ apache2ctl start$ apache2ctl status

$ vim /etc/apache2/sites-available/default$ vim /etc/apache2/sites-available/default-sslLine 2, add:


55

Debian webserver

• Prepare test application$ mkdir /var/www/secure$ vim /var/www/secure/index.php

<?phpheader('Location: https://'.$_SERVER['SERVER_NAME'].'/Shibboleth.sso/Session');

?>

56

Debian webserver - SSL

$ a2enmod ssl$ vim /etc/apache2/sites-available/default-ssl

$ a2ensite default-ssl$ apache2ctl configtest $ /etc/init.d/apache2 restart$ openssl s_client –connect localhost:443

SSLCertificateFile /etc/pki/$WORKSH_HOST.pemSSLCertificateKeyFile /etc/pki/$WORKSH_HOST.keySSLCertificateChainFile /etc/pki/terenasslchain.crt

57

Windows Server 2008 - Apache

– Download: http://httpd.apache.org :Win32 Binary including OpenSSL 0.9.8m (MSI Installer)

– DocumentRoot: c:\htdocs ($DOCROOT)– Configuration: c:\Apache2.2– Logs: c:\Apache2.2\logs ($WEB_LOG)– ServerName

– Start/Stop service using the Apache monitor in the tray

C:\Apache2.2\conf\httpd.confLine 171:


58

Windows Server 2008 - Apache

• Prepare test application

• Create index.html file

$ mkdir C:\htdocs\secure

<html><head><title>redirect</title><meta http-equiv="REFRESH" content="0;url=/Shibboleth.sso/Session"></head></html>

59

Windows Server 2008 – Apache - SSL

• Restart Apache2.2 via the tray

c:\Apache2.2\conf\extra\httpd-ssl.conf

$ openssl s_client –connect localhost:443

SSLCertificateFile c:/pki/$WORKSH_HOST.pemSSLCertificateKeyFile c:/pki/$WORKSH_HOST.keySSLCertificateChainFile c:/pki/terenasslchain.crt

c:\Apache2.2\conf\httpd.conf

LoadModule ssl_module modules/mod_ssl.so[..]Include conf/extra/httpd-ssl.conf#Include c:/opt/shibboleth-sp/etc/shibboleth/apache22.config

60

Windows Server 2008 - IIS

• IIS – Server Manager:

Add Web Server (IIS) Role with• ASP.NET• ASP• IIS 6 Management compatibility• ISAPI filter• ISAPI extensions• IIS Management console• IIS Management Scripts and Tools (Powershell)

– Documents: c:\inetpub\wwwroot\ ($DOCROOT)

$ net start w3svc

61

Windows Server 2008 - IIS

• Prepare test application

• Create Default.asp file

$ mkdir C:\inetpub\wwwroot\secure

<%Response.Redirect "/Shibboleth.sso/Session"%>

62

Windows Server 2008 – IIS - SSL

• Import certificate

• Or use MMC Certificate snap-in

$ certutil –p changeit –importpfx c:\pki\$WORKSH_HOST.p12

$ Get-ChildItem cert:\LocalMachine\My

63


• Configure IISRight click website Edit bindings

64


• Add..

• Select SSL certificate

• Result

65

Shibboleth SP installation

• Certificates

• Done by RPM after installation

$ cd /etc/yum.repos.d$ wget http://download.opensuse.org/repositories/security://shibboleth/RHEL_5/security:shibboleth.repo

$ yum install shibboleth[.x86_64](Accept GPG key 0x7D0A1B3D)

/etc/httpd/conf.d/shib.conf/etc/rc.d/init.d/shibd

$ cp $PKI/sp-rh-N-cert.pem $SHIB_CONF/sp-cert.pem$ cp $PKI/sp-rh-N-key.pem $SHIB_CONF/sp-key.pem$ service shibd start

http://download.opensuse.org/repositories/security:/shibboleth/RHEL_5/security:shibboleth.repo

http://download.opensuse.org/repositories/security:/shibboleth/RHEL_5/security:shibboleth.repo

66


$ cd /etc/apt/sources.list.d/$ vim lenny-backports.list

deb http://www.backports.org/debian lenny-backports main contrib non-free

$ apt-get update$ apt-get install debian-backports-keyring$ apt-get update

$ apt-get -t lenny-backports install libapache2-mod-shib2

$ cp $PKI/sp-db-N-cert.pem $SHIB_CONF/sp-cert.pem$ cp $PKI/sp-db-N-key.pem $SHIB_CONF/sp-key.pem$ chown _shibd $SHIB_CONF/sp-key.pem

67


• Configuration files provided by deb packages

• Create/etc/apache2/mods-available/shib2.conf

/etc/apache2/mods-available/shib2.load/etc/init.d/shibd

<Location /secure>AuthType shibbolethrequire shibboleth</Location>

$ a2enmod shib2$ /etc/init.d/shibd restart$ /etc/init.d/apache2 restart

68


• Download MSI packet fromhttp://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/

• Run shibboleth-sp-2.3.1-win32.msi

http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/

69


70


71


72


73


74


75


• After installation it is better to restart the OS• Copy the self-signed keypair

• Restart Shibboleth service

$ copy $PKI/sp-w8-N-cert.pem $SHIB_CONF/sp-cert.pem$ copy $PKI/sp-w8-N-key.pem $SHIB_CONF/sp-key.pem

76

Sanity checks

• Shibboleth ISAPI filter must be the first in the ‘ordered list’

77

Sanity checks

• Access Shibboleth handler from your browserhttps://$WORKSH_HOST/Shibboleth.sso

• Access session handler from your browserhttps://$WORKSH_HOST/Shibboleth.sso/Session A valid session was not found.

• See how a Shibboleth error looks likehttps://$WORKSH_HOST/Shibboleth.sso/Foo

78

Program


79

Bootstrapping the SP

Goals:

1. Working SP against a single IdP

2. Enable debugging of session attributes

3. Avoid clock complaints

80


• Choose your entityID

https://$WORKSH_HOST

• Should be:– Unique– Locally scoped– Logical representative – Unchanging

• Seen on the wire, configuration files, metadata, log files, etc

81


• Relax some requirements, set your entityID and default IdP entityID$SHIB_CONF/shibboleth2.xml

logger="syslog.logger" clockSkew="1800000">

<ApplicationDefaults id="default" policyId="default" entityID="https://$WORKSH_HOST”

<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID=“https://worksh-idp.cc.kuleuven.be"

<Handler type="Session" Location="/Session" showAttributeValues="true"/>

<Host name=“$WORKSH_HOST“ redirectToSSL="443">

82


• Provide metadata remotely from test IdP$SHIB_CONF/shibboleth2.xml

• Backup at $SHIB_RUN

Uncomment whole <MetadataProvider>Comment <MetadataFilter>• Normally: Provide your SP’s metadata to IdP

But, already done for you :-)– Metadata self-generated by your Service Provider

https://$WORKSH_HOST/Shibboleth.sso/Metadata

<MetadataProvider type="Chaining"><MetadataProvider type="XML" uri="https://worksh-idp.cc.kuleuven.be/idp-metadata.xml" backingFilePath="idp-metadata.xml" reloadInterval="3600"/>

83


• For IIS:• Get site id (Run powershell as Administrator)

• Set correct site ID and name

<InProcess logger="native.logger"> <ISAPI normalizeRequest="true" safeHeaderNames="true"> <Site id="1" name=“$WORKSH_HOST"/>

$ Import-Module WebAdministration$ dir IIS:\Sites

85

Bootstrapping the SP – Quick test

• Make sure configuration works

Service Provider reloads shibboleth2.xml automatically when it changes

• Try it with a browserhttps://$WORKSH_HOST/secure/

/secure/ is protected by shibboleth2.xml (<RequestMap>)Login with shibN / P@ssw0rd

• Get session informationhttps://$WORKSH_HOST/Shibboleth.sso/Session(you should see various attributes)

$ shibd –tc $SHIB_CONF/shibboleth2.xml

WIN$ shibd –check $SHIB_CONF/shibboleth2.xml

86

Bootstrapping SP - Logout

• Local logouthttps://$WORKSH_HOST/Shibboleth.sso/Logout

This won’t delete your session on the IdP!• Close the browser in order to remove ALL your session

cookies• Or delete session cookies using the browser or an

extension, e.g.: Firefox Web Developer extension

87

Bootstrapping SP – Discovery Service

• Change the default SessionInitiator$SHIB_CONF/shibboleth2.xml

• Try again https://$WORKSH_HOST/secure/

<SessionInitiator type="Chaining" Location="/Login" isDefault="false" id="Intranet" relayState="cookie"

<SessionInitiator type="Chaining" Location="/DS" id="DS" relayState="cookie" isDefault="true">

[…] <SessionInitiator type="SAMLDS"

URL="https://wayf.associatie.kuleuven.be/shibboleth-wayf/WAYF"/></SessionInitiator>

88

Program


89

Configuration

• Basic configuration• Attribute handling• Session Initiation• Access control• Adding a separate application• Service provider handlers• Session Initiators/Discovery

90

Basic configuration

Goals:

1. Understand purpose and structure of SP configuration files

2. Increase log level to DEBUG

3. Configure metadata and add signature verification

91

Important directories

• $SHIB_CONF– Master and supporting configuration files– Locally maintained metadata files– HTML templates (customize them to adapt look&feel to your

application)– Logging configuration files (*.logger)– Credentials (certificates and private keys)

• $SHIB_RUN– UNIX socket– Remotely fetched files (metadata, attribute-map)

• $SHIB_LOG– shibd.log & transaction.log

• $WEB_LOG (written by Shibboleth module/ISAPI filter)– native.log

92

Configuration files in $SHIB_CONF

• shibboleth2.xml – main configuration file• apache*.config – Apache module loading• attribute-map.xml – attribute handling• attribute-policy.xml – attribute filtering settings• *.logger – logging configuration• *Error.html – HTML templates for error messages• localLogout.html – SP-only logout template• globalLogout.html – single logout template

Recommendation: Adapting *.html files to match the look & feel of the protected application improves user experience.

93

shibboleth2.xml structure

Outer elements of the shibboleth2.xml configuration file

<OutOfProcess> / <InProcess><UnixListener> / <TCPListener>

<StorageService><SessionCache><ReplayCache><ArtifactMap>

<RequestMapper> Needed for session initiation and access control

<ApplicationDefaults> Contains the most important settings of your SP

<SecurityPolicies>

94

ApplicationDefaults structure

You are most likely to change something in here:• <ApplicationDefaults>

– <Sessions> Defines handlers and how sessions are initiated and managed– <Errors> Used to display error messages. Provide here logo, e-mail and CSS– <RelyingParty> (*) To modify settings for certain IdPs/federations– <MetadataProvider> Defines the metadata to be used by the SP – <TrustEngine> Which mechanisms to use for signatures validation– <AttributeExtractor> Attribute map file to use– <AttributeResolver> Attribute resolver file to use– <AttributeFilter> Attribute filter file to use– <CredentialResolver> Defines certificate and private key to be use – <ApplicationOverride> (*) Can override any of the above for certain

applications

95

Logging

• First thing to do in case of problems

• shibd.log and transaction.log written by shibd,native.log written by Shibboleth module/filter

• *.logger files contain predefined settings for output location and default logging level (INFO) along with useful categories to raise to DEBUG

• Log time is in UTC (~GMT)

96

Logging

• Raise categories

• To implement *.logger changed:

• Try again https://$WORKSH_HOST/secure/

$ vim $SHIB_CONF/shibd.logger

log4j.rootCategory=DEBUG, shibd_log

$ touch shibboleth2.xml$ tail –f /var/log/shibboleth/shibd.log

97

Metadata features

• Metadata describes the other components (IdPs) that the Service Provider can communicate with

• Four primary methods built-in:– Local file (you manage it)– Remote file (periodic refresh, local backup)– Dynamic resolution of entityID (=URL)– "Null" source that disables security (“OpenID” model)

• Security comes from metadata filtering, either by you or the SP:– Signature verification– White and blacklists

98

Signature verification

• The Test IdPs metadata is signed. Until now, it was loaded without checking, which is not secure and not recommended!

• First, increase security:$SHIB_CONF/shibboleth2.xml

Uncomment MetadataFilter for signature verification:

<MetadataProvider type="XML” […] uri=“https://worksh-idp.cc.kuleuven.be/idp-metadata.xml”> <MetadataFilter type="Signature“ certificate="sp-cert.pem"/></MetadataProvider>

99


• Run•

… and in the output you will see:

WARN OpenSAML.MetadataFilter.Signature [3]: filtering out group at root of instance after failed signature check:

ERROR OpenSAML.Metadata.Chaining [3]: failure initializing MetadataProvider: SignatureMetadataFilter unable to verify signature at root of metadata instance.

• Metadata could not be loaded because it was signed with a different key (we “broke” the setup). So, let’s get the right key…

$ shibd –tc $SHIB_CONF/shibboleth2.xmlWIN$ shibd –check $SHIB_CONF\shibboleth2.xml

100


• Get certificate from IdP:

• Then fix it:$SHIB_CONF/shibboleth2.xml

• Run again

$ cd $SHIB_CONF$ wget https://worksh-idp.cc.kuleuven.be/worksh-idp.cc.kuleuven.be.pem

<MetadataProvider type="XML” […] > <MetadataFilter type="Signature“ certificate=“worksh-idp.cc.kuleuven.be.pem"/>

</MetadataProvider>

$ shibd –tc $SHIB_CONF/shibboleth2.xmlWIN$ shibd –check $SHIB_CONF\shibboleth2.xml

101

Configuration


102

Attribute handling

Goals:

1. Understand how attributes are transported

2. Learn how attributes are mapped and filtered

3. See how attributes can be used as identifiers

4. Add an attribute mapping and filtering rule

103

SP attribute terminology

• PushDelivering attributes with SSO assertion via web browser

• PullQuerying for attributes after SSO via back-channel (SP -> IdP)

• ExtractionDecoding SAML information into neutral data structures mapped to environment or header variables

• FilteringBlocking invalid, unexpected, or unauthorized values based on application or community criteria

• ResolutionResolving a SSO assertion into a set of additional attributes (e.g. queries)

104

Scoped attributes

• Common term for attributes that consist of a relation between a value and a scope, usually an organizational domain name

E.g. affiliation = “[email protected]”

• Makes values globally usable or unique

• Lots of special treatment in Shibboleth to make them more useful and "safe"

• Alternatively, split value and scope into separate attributes: affiliation=“student” and homeOrganization=“kuleuven.be”

105

Attribute mappings

• SAML attributes from any source are "extracted" using the configuration rules in /etc/shibboleth/attribute-map.xml

• Each element is a rule for decoding a SAML attribute and assigning it a local id which becomes its mapped variable name

• Attributes can have one or more id and multiple attributes can be mapped to the same id

• The id can also be used as header name in the webserver for this attribute

106

Dissecting an Advanced Attribute Rule

• idThe primary "id" to map into, also used in web server environment

• aliasesOptional alternate names to map into

• nameSAML attribute name or NameID format to map from

• AttributeDecoder xsi:typeDecoder plugin to use (defaults to simple/string)

• caseSensitiveHow to compare values at runtime (defaults to true)

<Attribute id="affiliation" aliases="aff affil" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"> <AttributeDecoder xsi:type="ScopedAttributeDecoder"

caseSensitive="false"/></Attribute>

https://spaces.internet2.edu/display/SHIB2/NativeSPAttributeExtractor

107

Adding attribute mappings

• Add first and lastname SAML 2 attribute mappings:$SHIB_CONF/attribute-map.xml

• After saving, changes take effect immediately but NOT for any existing sessions

• Therefore, restart your browser (or delete your session cookies) and continue on next slide …

<Attribute name="urn:oid:2.5.4.4" id="sn” aliases=“surname”/><Attribute name="urn:oid:2.5.4.42" id="givenName"/>

108

K.U.Leuven attribute mappings

• Attribute-map made compatible with 1.3 naming conventions$SHIB_CONF/shibboleth2.xml

<!– <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/> --><AttributeExtractor type="XML" uri="https://shib.kuleuven.be/download/sp/2.x/attribute-map.xml" backingFilePath="attribute-map.xml" reloadInterval="7200"/>

109

Common identifiers

• Local userid/netid/uid (“intranet userid”), e.g. “u1234567”Usually readable, persistent but not permanent, often reassigned, not unique

• email address, e.g. [email protected] readable, persistent but not permanent, often reassigned, unique

• eduPersonPrincipalName, e.g. [email protected] readable, persistent but not permanent, can be reassigned, unique

• eduPersonTargetedID / SAML 2.0 persistent IDNot readable, semi-permanent, not reassigned, unique

110

Common identifiers

Legacy attribute placeholder for the SAML 2.0 persistent NameID format:

– opaque– pairwise (IdP/SP)– original motivation was privacy, but strongest features are lack

of reassignment and immunity to name changes

In web server environment, persistentId= https://worksh-idp.cc.kuleuven.be!https://worksh-rh-1.cc.kuleuven.be!stringupto256chars

<saml:NameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"NameQualifier="https://worksh-idp.cc.kuleuven.be"SPNameQualifier="https://worksh-rh-1.cc.kuleuven.be">

stringupto256chars</saml:NameID>

111

REMOTE_USER

• Special single-valued variable that all web applications should support for container-managed authentication of a unique user.

• Any attribute, once extracted/mapped, can be copied to REMOTE_USER

• Multiple attributes can be examined in order of preference, but only the first value will be used.

• IIS doesn’t support to set the REMOTE_USER• https://spaces.internet2.edu/display/SHIB2/NativeSPAttributeAccess

112

Changing REMOTE_USER

• In case your application needs to have a remote user for authentication, you just could make Shibboleth put an attribute (e.g. ”sn”) as REMOTE_USER:$SHIB_CONF/shibboleth2.xml

• REMOTE_USER=”sn eppn persistent-id targeted-id"

• If sn attribute is available, it will be put into REMOTE_USER

• Attribute sn has precedence over eppn in this case

• This allows very easy “shibbolization” of some web applications

113

Attribute filtering

• Answers the "who can say what" question on behalf of an application

• Service Provider can make sure that only allowed attributes and values are made available to application

• Some examples:– constraining the possible values or value ranges of an attribute

(e.g. eduPersonAffiliation, telephoneNumber, ....)– limiting the scopes/domains an IdP can speak for

(e.g. university x cannot assert [email protected])– limiting custom attributes to particular sources

114

Default filter policy

• As default, attributes are filtered out unless there is a rule!

• Shared rule for legal affiliation values

• Shared rule for scoped attributes

• Generic policy applying those rules and letting all other attributes through.

• Check $SHIB_LOG/shibd.log for signs of filtering in case of problems with attributes not being available.You would find something like “no rule found, removing all values of attribute (#attribute name#)“

https://spaces.internet2.edu/display/SHIB2/AFPAttributeFilterPolicy

115

Configuration


116

Session initiation

Goals:1. Learn how to initiate a Shibboleth session

2. Understand their advantages and disadvantages

3. Know where to require a session, what to protect

117

Content protection and session initiation

• Before access control (will be covered later on) can occur, a Shibboleth session must be initiated

• Session initiation and content protection go hand in hand

• Requiring a session means the user has to authenticate

• Only authenticated users can access protected content

118

Content protection settings

Protect hosts, directories, files or queries

• Apache.htaccess (dynamic) or httpd.conf (static)

• Apache / IIS / otherRequestMap

Requires Shibboleth to know exact hostnameVery powerful and flexible thanks to boolean/regex operations

• Try accessing https://$WORKSH_HOST/You should get access because the directory is not protected

https://spaces.internet2.edu/display/SHIB2/NativeSPAccessControl

119

Content protection with .htaccess

• Prepare webserver (<Directory name=“$DOCROOT”>)

• Let’s protect the directory by requiring a Shibboleth session:

Synonym for the last line (used in Shibboleth 1.3):

ShibRequireSession On


AllowOverride AuthConfig

$ mkdir $DOCROOT/secure2$ vim $DOCROOT/secure2/.htaccess

AuthType shibbolethrequire shibbolethShibRequestSetting requireSession 1

120

Test content protection rule

• Clear session and then access https://$WORKSH_HOST/secure2

• Authentication is enforced and access should be granted

• By now, all authenticated users get access

• Content protection with authorization will be covered later

121

Content protection with RequestMap

$SHIB_CONF/shibboleth2.xml

• Module (mod_shib or ISAPI filter) provides request URL to shibd to process it

• Clearing session and then accessing /secure2/ now, one also is forced to authenticate

$ vim $DOCROOT/secure2/.htaccess

AuthType shibbolethrequire shibboleth

<Host name=“$WORKSH_HOST” redirectToSSL=“443”><Path name=“secure2” authType=“shibboleth” requireSession=“true”/>

</Host>

122

RequestMap “Fragility”

• By default, Apache "trusts" the user’s web browser about what the requested hostname is and reports that value internally

• To illustrate the problem, try accessing this URL:https://$IP/secure2

Script can be accessed unprotected/without a session… ?

• How to fix? Make Apache use configured ServerNamehttpd.conf

• IIS: normalizeRequesthttps://spaces.internet2.edu/display/SHIB2/NativeSPISAPI

UseCanonicalName On

123

Other content settings

• Requesting types of authentication– E.g enforce X.509 user certificate authentication

• Redirect to SSL• Custom error handling pages to use• Redirection-based error handling

– In case of an error, redirect user to custom error web page with error message/type as GET arguments

• forceAuthn– Disable Single-Sign on and force a re-authentication

• isPassive– Check whether a user has an SSO session and if he has,

automatically create a session on SP without any user interaction

• Supplying a specific IdP to use for authentication

https://spaces.internet2.edu/display/SHIB2/NativeSPContentSettings

124

Lazy Sessions

• The mode of operation so far prevents an application from running without a login.

• Two other very common cases:– Public and private access to the same resources– Separation of application and SP session

• Semantics are: if valid session exists– process it as usual (attributes in environment array,

REMOTE_USER, etc.)

But if a session does NOT exist or is invalid, ignore it and pass on control to webserver/scripts

125

Lazy Sessions example

• Construct URL

https://$WORKSH_HOST/Shibboleth.sso/Login?target=https://$WORKSH_HOST/Shibboleth.sso/Session– Shibboleth handler: https://$WORKSH_HOST/Shibboleth.sso– Session Initiator: /Login– Target location: ?target=https://$WORKSH_HOST/Shibboleth.sso/Session– Other options:

https://spaces.internet2.edu/display/SHIB2/NativeSPSessionCreationParameters

• Most parameters can come from three places, in order of precedence:– Query string parameter to Shibboleth handler– A content setting (Webserver config or RequestMap)– <SessionInitiator> element

126

Lazy Sessions example

• IIS: RequestMap entry for secure3• Save PHP/ASP script from

worksh-idp.cc.kuleuven.be: /home/shib/ShibbolethSPWorkshop/examples/lazy_session.[php|asp]

at$DOCROOT/secure3/lazy_session.[php|asp]

Access https://$WORKSH_HOST/secure3/lazy_session.[php|asp]

$ vim $DOCROOT/secure3/.htaccess

AuthType shibbolethrequire shibboleth

127

Where to require a Shibboleth session

• Whole application with “required” Shibboleth session– Easiest way to protect a set of documents– No other authentication methods possible like this

• Whole application with “lazy” Shibboleth session– Also allows for other authentication methods– Authorization can only be done in application

• Only page that sets up application session– Well-suited for dual login– Application can control session time-out– Generally the best solution

128

Configuration


129

Access control

Goals:

1. Create some simple access control rules

2. Get an overview about the three ways to authorize users

3. Understand their advantages and disadvantages

130

Access control

• Two implementations are provided by the SP:– .htaccess "require" rule processing– XML-based policy syntax attached to content via RequestMap

• Third option: Integrate access control into webapplication


131

Access control

1.a httpd.conf 1.b .htaccess 2. XML AccessControl

3. Application Access Control

Easy to configure Can also protect

locations or virtual files

URL Regex

Dynamic Easy to configure

Platform independent

Powerful boolean rules

URL Regex Dynamic

Very flexible and powerful with arbitrarily complex rules

URL Regex Support

Only works for Apache

Not dynamic Very limited rules

Only works for Apache

Only usable with “real” files and directories

XML editing Configuration error

can prevent SP from restarting

You have to implement it yourself

You have to maintain it yourself

+

-

132

1. Apache httpd.conf or .htaccess

• Work almost like known Apache “require” rules

• Special rules:– shibboleth (no authorization)– valid-user (require a session, but NOT identity)– user (REMOTE_USER as usual)– group (group files as usual)– authnContextClassRef, authnContextDeclRef

• Default is boolean "OR”, use ShibRequireAll for AND rule• Regular expressions supported using special syntax:

require affiliation staff

require sn bar

require mail ~ ^.*@(icts|law).kuleuven.be$

133

Side note: Aliases

• If in the attribute-map.xml file, there is a definition like:

• This allows using rules aliases in authorization rules, e.g.:

• Aliases can also be used in RequestMap

<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="Shib-EP-Affiliation" aliases="affiliation aff affil">[…]/>

require affiliation staff#instead ofrequire Shib-EP-Affiliation staff

134

1. Example .htaccess file

• Require a user to be staff member$DOCROOT/staff-only/.htaccess

• Accesshttps://$WORKSH_HOST/staff-onlywith user “staff”, access should be granted

• Try the same with “shibN” user, access should be denied

AuthType ShibbolethShibRequestSetting requireSession 1require unscoped-affiliation staff

135

1. Advanced .htaccess file

• Require a user to be a student or to have an entitlement:

Access: https://$WORKSH_HOST/toledowith user “student” and “staff”, access should be granted.

• Try again with “shibN”, access should be denied.

AuthType ShibbolethShibRequestSetting requireSession 1require unscoped-affiliation studentrequire entitlement ~ .*toledo.*

$ mkdir $DOCROOT/toledo$ vim $DOCROOT/toledo/.htaccess

136

2. XML access control

• Can be used for access control independent from web server and operating system

• XML Access control rules can be embedded inside RequestMap or can also be dynamically loaded from external file.WARNING: Can bring down entire webserver

• Same special rules as .htaccess, adds boolean operators (AND,OR,NOT)

137

2. XML access control example

• Same as previous example but now with XML access control embedded in RequestMap

AuthType Shibbolethrequire shibboleth

$ vim $DOCROOT/toledo/.htaccess

$ vim $SHIB_CONF/shibboleth2.xml

<Host name=“$WORKSH_HOST"> [..] <Path name=“toledo" authType="shibboleth" requireSession="true"> <AccessControl> <OR> <RuleRegex require="entitlement">.*toledo.*</RuleRegex> <Rule require="unscoped-affiliation">student</Rule> </OR> </AccessControl> </Path></Host>

138

3. Application managed access control

• Application can access and use Shibboleth attributes by reading them from the web server environment

• Attributes then can be used for authentication/access control/authorization

#PHP: if ($_SERVER[‘affiliation’] == ‘staff’) { grantAccess() }

#Perl:if ($ENV{‘affiliation’} == ‘staff’) { &grantAccess() }

#ASP:if (Request.ServerVariables(‘affiliation’) == ‘staff’ ){ { grantAccess() }

http://shib.kuleuven.be/download/sp/test_scripts/

139

3. Application managed access control

• Default is to use environment variables instead of HTTP headers (Apache)– Cannot be manipulated in any way from outside

• Unfortunately not all webservers support a mechanism to create custom variables within webserver (IIS,Sun/iPlanet)Solution:

AuthType shibbolethShibRequestSetting requireSession 1require shibbolethShibUseHeaders On

140

Configuration


141

Adding a separate (Shibboleth) application

Goals:

1. Define another application

2. Protect new application

3. Know how to configure them if necessary

142

Terminology

• Service Provider (physical)– An installation of the software on a server

• Service Provider/”Resource” (logical)– Web resources viewed externally as a unit– Each entityID identifies exactly one logical SP

• SP Application– Web resources viewed internally as a unit– Each applicationId identifies exactly one logical application– A user session is bound to exactly one application

143

Virtualization concepts

• A single physical SP can host any number of logical SPs

– A logical SP can then include any number of "applications"

– Web virtual hosting is often related but is also independent

– Applications can inherit or override default configuration

settings on a piecemeal basis

• Multiple physical SPs can also act as a single logical SP

– Clustering for load balancing and failover

144

Adding an application

• Goal: Add a second application with a different entityID living in its own virtual host

$SHIB_CONF/shibboleth2.xml

<RequestMap applicationId="default"><Host name=“$IP” applicationId="alt"/>

[..] <ApplicationOverride id="alt" entityID="https://$IP"/></ApplicationDefaults>

145


• For the additional application, canonical names should be turned off again (unless you use Vhosts)

httpd.conf

• Test application:https://$IP/secure

• The IdP will throw an ERROR (entityID is not trusted)Error Message: SAML 2 SSO profile is not configured for relying party 'https://10.2.4.N'

• Check logging $SHIB_LOG/shibd.log and $WEB_LOG/native.log (DEBUG)You should see the new entityID

UseCanonicalName Off

146


• <ApplicationOverride>Rule of thumb is that any settings you don't override inside the element will be inherited from the <ApplicationDefaults> element that surrounds the override .– Limitations:

You have to supply all the settings needed in the <Sessions> element because of the need to override the handlerURL.You do NOT have to redefine all of the handler child elements.

• The handlerURL MUST be unique for each SP and MUST map to the same applicationId

• Respect the XML sequence!

https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride

147

Clustering

• Configure multiple physical installations to share an entityID, and possibly credentials

• Configuration files often can be identical across servers that share an external hostname

• Session management:– SP itself now clusterable via ODBC or memcached– Host shibboleth service on one system

148

Configuration


149

Service provider handlers

Goals:

1. Understand the idea of a handler

2. Get an overview about the different types of handlers

3. Know how to configure them if necessary

150

SP handlers

• "Virtual" applications inside the SP with API access:– SessionInitiator (requests)

• E.g. /Shibboleth.sso/Login

– AssertionConsumerService (incoming SAML response)• E.g. /Shibboleth.sso/SAML/POST

– LogoutInitiator (SP signout)• E.g. /Shibboleth.sso/Logout

– SingleLogoutService (incoming SLO)– ManageNameIDService (advanced SAML)– ArtifactResolutionService (advanced SAML)– Generic (diagnostics, other useful features)

E.g. /Shibboleth.sso/Session

/Shibboleth.sso/Status /Shibboleth.sso/Metadata

https://spaces.internet2.edu/display/SHIB2/NativeSPHandler

151

SP handlers

• The URL of a handler = handlerURL + the Location of the handler.– e.g. for a virtual host testsp.example.org with handlerURL of

"/Shibboleth.sso", a handler with a Location of "/Login" will be https://testsp.example.org/Shibboleth.sso/Login

• Handlers aren’t always SSL-only, but usually should be (handlerSSL="true").

• Metadata basically consists of entityID, keys and handlers

• Handlers are never "protected" by the SP– But sometimes by IP address (e.g. with acl=“127.0.0.1”)

https://testsp.example.org/Shibboleth.sso/Login

152

Configuration


153

Session initiators/Discovery

Goals:

1. Understand the concepts of discovery/session initiation

2. Chains and protocol precedence

3. Overview about various discovery mechanisms

154

Session initiators / Discovery concepts

• Session initiatorHandler that created a SAML authN request for an IdP or uses a discovery mechanism to identify the IdP

• Discovery (in Shibboleth)Identifying the IdP of a particular user

• WAYF serviceOld name in Shibboleth for a particular way to do discovery

• Handler chainSequence of handlers that share configuration and run consecutively until “something useful happen” or an error occurs

https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator

155

Intranet case

• Single IdP, multiple protocols, no discovery:

• Protocol precedence controlled by order of SessionInitiators within a chain

• Common properties defined at the top are inherited by SessionInitiators in chain

<SessionInitiator type="Chaining" Location="/Login"id="Intranet" isDefault="true" relayState="cookie"entityID="urn:mace:kuleuven.be:kulassoc:kuleuven.be">

<SessionInitiator type="SAML2" defaultACSIndex="1" template="bindingTemplate.html"/><SessionInitiator type="Shib1" defaultACSIndex="5"/>

</SessionInitiator>

156

Change protocol precedence

• Example: switch order of chain

• Still allows either protocol, but if the IdP supports Shibboleth profile of SAML1, it will be preferred

<SessionInitiator type="Chaining" Location="/Login"id="Intranet" isDefault="true" relayState="cookie"entityID="urn:mace:kuleuven.be:kulassoc:kuleuven.be">

<SessionInitiator type="Shib1" defaultACSIndex="5"/> <SessionInitiator type="SAML2" defaultACSIndex="1"

template="bindingTemplate.html"/></SessionInitiator>

157

Identity provider discovery

• Protocol SessionInitiators work when the IdP is known

• For consistency, discovery is implemented with alternate SessionInitiators that operate only when the IdP is NOT known

• A typical federated chain includes one or more "protocol" handlers followed by a single "discovery" handler at the end, like a safety net

158

Typical discovery methods

• External options:– Older WAYF model, specific to Shibboleth/SAML1, SP loses

control if a problem occurs– Newer SAMLDS model, recently standardized, supports

multiple SSO protocols and allows the SP to control the process

• Internal options:– Implemented by an application (e.g. Toledo)– Followed by a redirect with the entityID:

/Shibboleth.sso/Login?entityID=urn:mace:kuleuven.be:kulassoc:kuleuven.be

– Advanced "Cookie", "Form", and "Transform" SessionInitiators

159

Discovery service case (default)

• Multiple protocols, discovery via DS:

• Same as intranet case, but omits entityID and adds the safety net at the bottom

• Last SessionInitiator in chain tells the DS to return the user to this location with a lazy session redirect that will invoke an earlier handler (SAML2 or Shib1) in the chain

<SessionInitiator type="Chaining" Location="/DS"id=“DS" isDefault="true" relayState="cookie”>

<SessionInitiator type="SAML2" defaultACSIndex="1" template="bindingTemplate.html"/><SessionInitiator type="Shib1" defaultACSIndex="5"/>

<SessionInitiator type="SAMLDS" URL="https://wayf.associatie.kuleuven.be/shibboleth-wayf/WAYF"/></SessionInitiator>

160

External discovery/WAYF

– Easy to use– Choice can be cached in cookie– DS displays only applicable IdPs

– Loss of control, UI fidelity– Impact of errors– List of IdPs can become very long

+

-

161

Conclusions


shibboleth service provider workshop bart ophelders - philip brusten [email protected] june 2010

Documents

service provider resource

shibboleth system

discovery service

active shibboleth session

joie samlconf http

cookie redirect ua

document x

unported license