Shibboleth Service Provider Workshop

(1)

Shibboleth

Service Provider

Workshop

Bart Ophelders - Philip Brusten

(2)

Shibboleth Service provider workshop

• This work is licensed under a

Creative Commons

(3)

Acknowledgements

• What's new in Shibboleth 2 – Chad La Joie • [SAMLConf]

http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf

• Liberty interoperability testing:

http://projectliberty.org/liberty/liberty_interoperable/implementations • Shibboleth 2.0 InstallFest Service Provider Material – Ann Arbor,

MI

• SP Hands-on Session – SWITCH

• https://spaces.internet2.edu/display/SHIB2

(4)

Program

• Introduction: “What is Shibboleth?”

• Shibboleth 2.x: “What has changed?”

• Concept of Federation

• Resource Registry

• A word on ADFS

• Installation

• Bootstrapping SP

• Configuration

(5)

Introduction: “What is Shibboleth?”

• Quote from

http://shibboleth.internet2.edu

:

The Shibboleth System is a standards based, open source software package for web single sign-on across or within

organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected

online resources in a privacy-preserving manner.

(6)

Introduction: “What is Shibboleth?”

• Terminology

– Authentication: says who we are

– Authorization: says which resource we can access – SP: Service Provider (Resource)

– IdP: Identity Provider (Home organisation) – WAYF: Where Are You From

(7)

Architecture Shibboleth v1.3

7 WAYF User Agent/Browser Identity Provider Webserver Identit y Provider Service Provider Webserver Shibboleth module

x

Shibboleth service Components:

Identity Provider (IdP) – Service Provider (SP) – Where Are You From (WAYF) – User Agent (UA)

HTTP redirect HTTP interaction

(8)

Service Provider Webserver Shibboleth module

x

Shibboleth service

Architecture Shibboleth v1.3

Identity Provider WAYF User Agent/Browser Webserver Identit y Provider

SAML1.1 profile: Browser/Artifact

(9)

x

Shibboleth service

Architecture Shibboleth v1.3

9 Identity Provider WAYF User Agent/Browser Webserver Identit y Provider

WAYF asks UA to choose an IdP (if not already set in cookie) Redirect UA to selected IdP

(10)

x

Shibboleth service

Architecture Shibboleth v1.3

IdP prompts the UA for credentials (Username/Password, x509,

(11)

x

Shibboleth service

Architecture Shibboleth v1.3

IdP resolves attributes for the authenticated principal and creates SAML assertion (authentication & attribute statement)

Redirects UA with references to these assertions (Artifacts).

(12)

x

Shibboleth service

Architecture Shibboleth v1.3

Shibboleth service or daemon dereferences the Artifacts on a

(13)

x

Shibboleth service

Architecture Shibboleth v1.3

The Shibboleth service verifies and filters the information and gives it to the Shibboleth module (via RPC or TCP).

The Shibboleth module or Webserver will authorise the principal.

(14)

Service Provider 2 Webserver Shibboleth module

x

Shibboleth service

Architecture Shibboleth v1.3

The active sessions with every component will provide the single

(15)

Program

• Introduction: “What is Shibboleth?”

• Shibboleth 2.x: “What has changed?”

• Concept of Federation

• Resource Registry

• A word on ADFS

• Installation

• Bootstrapping SP

• Configuration

15

(16)

Shibboleth 2.x: “What has changed?”

• General

– SAML2 protocols

• Authentication Request Protocol (SP initiated) – Force re-authentication

– Passive authentication

• Assertion Query and Request Protocol • Artifact Resolution Protocol

• Single Logout Protocol (Not supported by the IdP yet) • NameID Management Protocol

• NameID Mapping Protocol

– Encryption and signing of sensitive information – Distributed configuration (pull)

• Federation Metadata • Attribute-map

(17)

Shibboleth 2.x: “What has changed?”

• Identity Provider

– Own authentication modules • LDAP

• Kerberos • IP-based

• PreviousSession (SSO) • REMOTE_USER (cfr. CAS)

– No SAML2 force authentication

• Very flexible attribute resolving

• Very flexible attribute filtering (with constraints)

• Clean audit logs

• etc

(18)

Shibboleth 2.x: “What has changed?”

• Discovery Service

– Successor of WAYF

– SAML2 Identity Provider Discovery Profile – Multi-federation support

(19)

Shibboleth 2.x: “What has changed?”

• Service Provider

– Multi-protocol support

– New attribute filtering policy language – Support for ODBC based storage of state – Significant performance improvements

(20)

x

Shibboleth service

Architecture Shibboleth v2.x

Identity Provider DS User Agent/Browser Webserver Identit y Provider

SAML2.0 profile: Web browser SSO + HTTP POST binding

(21)

x

Shibboleth service

Architecture Shibboleth v2.x

21 Identity Provider DS User Agent/Browser Webserver Identit y Provider

DS asks UA to choose an IdP (if not already set in cookie) Redirect UA back to SP with selected IdP as parameter.

SP takes back control

(22)

x

Shibboleth service

Architecture Shibboleth v2.x

SP sends SAML Authentication request to the IdP.

(23)

x

Shibboleth service

Architecture Shibboleth v2.x

The IdP resolves and filters the principal‟s attribute information and constructs a SAML assertion. This assertion can optionally be

signed and/or encrypted. Next, the IdP POSTs a response to the SP.

SAML response

• Authentication statement • Attribute statement

(24)

x

Shibboleth service

Architecture Shibboleth v2.x

The Shibboleth service decrypts, verifies and filters the response

(25)

Service Provider 2 Webserver Shibboleth module

x

Shibboleth service

Architecture Shibboleth v2.x

Again, the active sessions with every component will provide the single sign-on experience.

(26)

Program

• Introduction: “What is Shibboleth?”

• Shibboleth 2.x: “What has changed?”

• Concept of Federation

• Resource Registry

• A word on ADFS

• Installation

• Bootstrapping SP

• Configuration

(27)

Concept of Federation

• Group of entities, both IdPs and SPs.

• Can map on existing Associations (e.g.: BELNET,

Associatie K.U.Leuven, K.U.Leuven, etc)

27 K.U.Leuven App X App Y App Z K.U.Leuven Toledo … App Z … W&K

(28)

Concept of Federation

• Benefits

– Scalable

– Simplifies things

– WAYF service (IdP discovery)

• Metadata

– Describes entities (protocol support, contact information, etc) – PKI management

– Trust

• Since Shibboleth v2.x = single point of trust – Digitally signed

(29)

Program

• Introduction: “What is Shibboleth?”

• Shibboleth 2.x: “What has changed?”

• Concept of Federation

• Resource Registry

• A word on ADFS

• Installation

• Bootstrapping SP

• Configuration

29

(30)

Resource Registry

• Metadata management tool

– Based on open source from SWITCH and modified by INTIENT and K.U.Leuven

• Adapted for K.U.Leuven

• Multi-federation support

• Identity Provider 1-many link

• Service Provider 1-many link

(31)

Resource Registry

(32)

Resource Registry

• For now only internal use

• In a later stage available for:

– Resource Registry Administrators • To approve resources from a certain IdP – Resource Administrators

• For administering SP information (self-service) – Home Organisation Administrators

• For administering IdP information (self-service) – Federation Administrators

• Signing metadata file

(33)

Resource Registry

• Currently hosting:

– Federation K.U.Leuven

– Federation Associatie K.U.Leuven – Federation K.U.Leuven – UZLeuven – Test federation K.U.Leuven

(34)

Program

• Introduction: “What is Shibboleth?”

• Shibboleth 2.x: “What has changed?”

• Concept of Federation

• Resource Registry

• A word on ADFS

• Installation

• Bootstrapping SP

• Configuration

(35)

A word on ADFS

• Active Directory Federation Services v1

– Part of Microsoft Windows Server 2003 R2

– WS-Federation Passive Requester Profile (WS-F PRP) – Shibboleth v1.3 has implemented

“WS-Federation: Passive Requestor Interoperability Profile” specification for both IdP & SP

– Two ways of working • NT-Token based

• Claim based

(36)

A word on ADFS

• E.g. Implementation at K.U.Leuven

IdP K.U.Leuven Webserver Identit y Provider FS Account partners K.U.Leuven Resources - OWA - EVault - Sharepoint - etc TRUST OWA EVault Sharepoint TRUST TRUST TRUST

(37)

A word on ADFS

(38)

A word on AD FS 2.0

• Version 2.0

• Officially released on 5 May 2010

• Windows Server 2008 and Windows Server 2008 R2

• Only claims based

• Compatible with ADFS v1.0

• Liberty Interoperable Implementation Tables

• SAML2.0 operational modes:

– IdP lite – SP lite

(39)

A word on AD FS 2.0

(40)

(41)

A word on AD FS 2.0

41 5) Use claims in token Identity Providers STS Internet Windows Live ID Other User 2) Select an identity that matches those

requirements 1) Access application and learn token requirements CardSpace 2.0 Application WIF 4) Submit token Token 3) Authenticate user and get token for

selected identity

Token

STS

Browser or Client

(42)

Program

• Introduction: “What is Shibboleth?”

• Shibboleth 2.x: “What has changed?”

• Concept of Federation

• Resource Registry

• A word on ADFS

• Installation

• Bootstrapping SP

• Configuration

(43)

Environment

• RedHat Enterprise Linux 5.5 (Tikanga)

• Debian 5.0 (Lenny)

• Windows Server 2008 R2

• Username: “shib” / “root”

• Passwords: “P@ssw0rd”

• Remote Access

– Linux: ssh

– Windows: Remote desktop

(44)

Environment

• RedHat Enterprise Linux 5.5 (Tikanga)

– 8 virtual machines – DNS: worksh-rh-N.cc.kuleuven.be – IP: 10.2.4.N

• Debian 5.0 (Lenny)

– 4 virtual machines – DNS: worksh-db-N.cc.kuleuven.be – IP: 10.2.4.2N

• Windows Server 2008 R2

– 10 virtual machines – DNS: worksh-w8-N.cc.kuleuven.be – IP: 10.2.4.4N + 10.2.4.50

(45)

Environment

• Shibboleth IdP

– DNS: worksh-idp.cc.kuleuven.be – IP: 10.2.4.9

– https://worksh-idp.cc.kuleuven.be/idp/status

(only accessible through VMs: 10.2.4.0/24)

(46)

Environment

• Shibboleth standard base

http://shib.kuleuven.be/ssb_sp.shtml

(47)

Environment

• Key/Certificate generation - We‟ve done it for you 

– Webserver • Located at $PKI • Signed by TerenaSSL CA – Shibboleth SP • Self-signed • worksh-idp.cc.kuleuven.be: /home/shib/ShibbolethSPWorkshop/certificates/shibboleth-sp • Certificate: sp-[rh|db|w8]-N-cert.pem • Key: sp-[rh|db|w8]-N-key.pem • Save at $PKI

• Test certificates

47

(48)

SSL certificates

• Use of self-signed certificates in backend

– No need for commercial certificates – Longer lifetime

– No truststore to maintain for commercial CAs – Revocation (just remove certificate)

– Trustbase of commercial signed certificates can become quite large

(49)

Environment

• Tools

– An absolute must: Syntax friendly editor • RHEL: vim

• Debian: vim

• Windows: notepad++ or SciTE – HTTP client

• RHEL: links • Debian: links

• Windows: local browser – SCP or WinSCP

• Check your time now!

• Always work case sensitive!

49

(50)

Installation - Overview

IIS

Shibboleth

_Apache

service

mod_aut h mod_s hib mod_s sl

...

Shibboleth handler /Shibboleth.sso

ISAPI filter Shibboleth

Shibboleth handler /Shibboleth.sso

(51)

RHEL webserver

– DocumentRoot: /var/www/html ($DOCROOT) – Configuration: /etc/httpd

– Logs: /var/log/httpd ($WEB_LOG) – ServerName

– Start/Stop service

51

$ yum install httpd mod_ssl php

$ service httpd start $ service httpd status httpd (pid ####) is running… $ vim /etc/httpd/conf/httpd.conf Line 265: ServerName $WORKSH_HOST

(52)

RHEL webserver

• Prepare test application

$ mkdir /var/www/html/secure

$ vim /var/www/html/secure/index.php

<?php

header('Location: https://'.$_SERVER['SERVER_NAME'].'/Shibboleth.sso/Session'); ?>

(53)

RHEL webserver - SSL

53

$ vim /etc/httpd/conf.d/ssl.conf

$ service httpd configtest $ service httpd restart

$ openssl s_client –connect localhost:443 SSLCertificateFile /etc/pki/$WORKSH_HOST.pem SSLCertificateKeyFile /etc/pki/$WORKSH_HOST.key

(54)

Debian webserver

– DocumentRoot: /var/www ($DOCROOT) – Configuration: /etc/apache2

– Logs: /var/log/apache2 ($WEB_LOG) – ServerName

– Start/Stop service

$ apt-get install libapache2-mod-php5

$ apache2ctl start $ apache2ctl status $ vim /etc/apache2/sites-available/default $ vim /etc/apache2/sites-available/default-ssl Line 2, add: ServerName $WORKSH_HOST

(55)

Debian webserver

• Prepare test application

55 $ mkdir /var/www/secure $ vim /var/www/secure/index.php <?php header('Location: https://'.$_SERVER['SERVER_NAME'].'/Shibboleth.sso/Session'); ?>

(56)

Debian webserver - SSL

$ a2enmod ssl $ vim /etc/apache2/sites-available/default-ssl $ a2ensite default-ssl $ apache2ctl configtest $ /etc/init.d/apache2 restart

$ openssl s_client –connect localhost:443 SSLCertificateFile /etc/pki/$WORKSH_HOST.pem SSLCertificateKeyFile /etc/pki/$WORKSH_HOST.key

(57)

Windows Server 2008 - Apache

– Download: http://httpd.apache.org :

Win32 Binary including OpenSSL 0.9.8m (MSI Installer)

– DocumentRoot: c:\htdocs ($DOCROOT) – Configuration: c:\Apache2.2

– Logs: c:\Apache2.2\logs ($WEB_LOG) – ServerName

– Start/Stop service using the Apache monitor in the tray

57

C:\Apache2.2\conf\httpd.conf Line 171:

(58)

Windows Server 2008 - Apache

• Prepare test application

• Create index.html file

$ mkdir C:\htdocs\secure <html> <head> <title>redirect</title> <meta http-equiv="REFRESH" content="0;url=/Shibboleth.sso/Session"> </head> </html>

(59)

Windows Server 2008 – Apache - SSL

• Restart Apache2.2 via the tray

59

c:\Apache2.2\conf\extra\httpd-ssl.conf

$ openssl s_client –connect localhost:443 SSLCertificateFile c:/pki/$WORKSH_HOST.pem SSLCertificateKeyFile c:/pki/$WORKSH_HOST.key

SSLCertificateChainFile c:/pki/terenasslchain.crt c:\Apache2.2\conf\httpd.conf

LoadModule ssl_module modules/mod_ssl.so [..]

Include conf/extra/httpd-ssl.conf

(60)

Windows Server 2008 - IIS

• IIS

– Server Manager:

Add Web Server (IIS) Role with • ASP.NET

• ASP

• IIS 6 Management compatibility • ISAPI filter

• ISAPI extensions

• IIS Management console

• IIS Management Scripts and Tools (Powershell)

– Documents: c:\inetpub\wwwroot\ ($DOCROOT)

(61)

Windows Server 2008 - IIS

• Prepare test application

• Create Default.asp file

61

$ mkdir C:\inetpub\wwwroot\secure

<%

Response.Redirect "/Shibboleth.sso/Session" %>

(62)

Windows Server 2008 – IIS - SSL

• Import certificate

• Or use MMC Certificate snap-in

$ certutil –p changeit

–importpfx c:\pki\$WORKSH_HOST.p12 $ Get-ChildItem cert:\LocalMachine\My

(63)

Windows Server 2008 – IIS - SSL

• Configure IIS

Right click website

 Edit bindings

(64)

Windows Server 2008 – IIS - SSL

• Add..

• Select SSL certificate

(65)

Shibboleth SP installation

• Certificates

• Done by RPM after installation

65

$ cd /etc/yum.repos.d $ wget

http://download.opensuse.org/repositories/security://shibbole th/RHEL_5/security:shibboleth.repo

$ yum install shibboleth[.x86_64] (Accept GPG key 0x7D0A1B3D)

/etc/httpd/conf.d/shib.conf /etc/rc.d/init.d/shibd

$ cp $PKI/sp-rh-N-cert.pem $SHIB_CONF/sp-cert.pem $ cp $PKI/sp-rh-N-key.pem $SHIB_CONF/sp-key.pem $ service shibd start

(66)

Shibboleth SP installation

$ cd /etc/apt/sources.list.d/ $ vim lenny-backports.list

deb http://www.backports.org/debian lenny-backports main contrib non-free

$ apt-get update

$ apt-get install debian-backports-keyring $ apt-get update

$ apt-get -t lenny-backports install libapache2-mod-shib2 $ cp $PKI/sp-db-N-cert.pem $SHIB_CONF/sp-cert.pem

$ cp $PKI/sp-db-N-key.pem $SHIB_CONF/sp-key.pem $ chown _shibd $SHIB_CONF/sp-key.pem

(67)

Shibboleth SP installation

• Configuration files provided by deb packages

• Create

/etc/apache2/mods-available/shib2.conf 67 /etc/apache2/mods-available/shib2.load /etc/init.d/shibd <Location /secure> AuthType shibboleth require shibboleth </Location> $ a2enmod shib2 $ /etc/init.d/shibd restart $ /etc/init.d/apache2 restart

(68)

Shibboleth SP installation

• Download MSI packet from

http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/

(69)

Shibboleth SP installation

(70)

(71)

Shibboleth SP installation

(72)

(73)

Shibboleth SP installation

(74)

(75)

Shibboleth SP installation

• After installation it is better to restart the OS

• Copy the self-signed keypair

• Restart Shibboleth service

75

$ copy $PKI/sp-w8-N-cert.pem $SHIB_CONF/sp-cert.pem $ copy $PKI/sp-w8-N-key.pem $SHIB_CONF/sp-key.pem

(76)

Sanity checks

• Shibboleth ISAPI filter must be the first in the „ordered

(77)

Sanity checks

• Access Shibboleth handler from your browser

https://$WORKSH_HOST/Shibboleth.sso

• Access session handler from your browser

https://$WORKSH_HOST/Shibboleth.sso/Session

A valid session was not found.

• See how a Shibboleth error looks like

https://$WORKSH_HOST/Shibboleth.sso/Foo

(78)

Program

• Introduction: “What is Shibboleth?”

• Shibboleth 2.x: “What has changed?”

• Concept of Federation

• Resource Registry

• A word on ADFS

• Installation

• Bootstrapping SP

• Configuration

(79)

Bootstrapping the SP

Goals:

1. Working SP against a single IdP

2. Enable debugging of session attributes 3. Avoid clock complaints

(80)

Bootstrapping the SP

• Choose your entityID

https://$WORKSH_HOST

• Should be:

– Unique – Locally scoped – Logical representative – Unchanging

• Seen on the wire, configuration files, metadata, log files,

etc

(81)

Bootstrapping the SP

• Relax some requirements, set your entityID and default

IdP entityID

$SHIB_CONF/shibboleth2.xml

81

logger="syslog.logger" clockSkew="1800000">

<ApplicationDefaults id="default" policyId="default" entityID="https://$WORKSH_HOST”

<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID=“https://worksh-idp.cc.kuleuven.be"

<Handler type="Session" Location="/Session"

showAttributeValues="true"/>

(82)

Bootstrapping the SP

• Provide metadata remotely from test IdP

$SHIB_CONF/shibboleth2.xml

• Backup at $SHIB_RUN

Uncomment whole <MetadataProvider>

Comment <MetadataFilter>

• Normally: Provide your SP‟s metadata to IdP

But, already done for you :-)

<MetadataProvider type="Chaining"> <MetadataProvider type="XML"

uri="https://worksh-idp.cc.kuleuven.be/idp-metadata.xml" backingFilePath="idp-metadata.xml" reloadInterval="3600"/>

(83)

Bootstrapping the SP

• For IIS:

• Get site id (Run powershell as Administrator)

• Set correct site ID and name

83

$ Import-Module WebAdministration $ dir IIS:\Sites

(84)

Bootstrapping the SP – Quick test

• Make sure configuration works

Service Provider reloads shibboleth2.xml automatically when it changes

• Try it with a browser

https://$WORKSH_HOST/secure/

/secure/ is protected by shibboleth2.xml (<RequestMap>) Login with shibN / P@ssw0rd

• Get session information

https://$WORKSH_HOST/Shibboleth.sso/Session

(you should see various attributes)

$ shibd –tc $SHIB_CONF/shibboleth2.xml

(85)

Bootstrapping SP - Logout

• Local logout

https://$WORKSH_HOST/Shibboleth.sso/Logout

This won‟t delete your session on the IdP!

• Close the browser in order to remove ALL your session

cookies

• Or delete session cookies using the browser or an

extension, e.g.: Firefox Web Developer extension

(86)

Bootstrapping SP – Discovery Service

• Change the default SessionInitiator

$SHIB_CONF/shibboleth2.xml

• Try again https://$WORKSH_HOST/secure/

<SessionInitiator type="Chaining" Location="/Login"

isDefault="false" id="Intranet" relayState="cookie"

[…]

<SessionInitiator type="SAMLDS"

URL=" https://wayf.associatie.kuleuven.be/shibboleth-wayf/WAYF"/>

(87)

Program

• Introduction: “What is Shibboleth?”

• Shibboleth 2.x: “What has changed?”

• Concept of Federation

• Resource Registry

• A word on ADFS

• Installation

• Bootstrapping SP

• Configuration

88

(88)

Configuration

• Basic configuration

• Attribute handling

• Session Initiation

• Access control

• Adding a separate application

• Service provider handlers

(89)

Basic configuration

Goals:

1. Understand purpose and structure of SP configuration files 2. Increase log level to DEBUG

3. Configure metadata and add signature verification

(90)

Important directories

• $SHIB_CONF

– Master and supporting configuration files – Locally maintained metadata files

– HTML templates (customize them to adapt look&feel to your application)

– Logging configuration files (*.logger)

– Credentials (certificates and private keys)

• $SHIB_RUN

– UNIX socket

– Remotely fetched files (metadata, attribute-map)

• $SHIB_LOG

– shibd.log & transaction.log

• $WEB_LOG (written by Shibboleth module/ISAPI filter)

(91)

Configuration files in $SHIB_CONF

• shibboleth2.xml

– main configuration file

• apache*.config – Apache module loading

• attribute-map.xml

– attribute handling

• attribute-policy.xml

– attribute filtering settings

• *.logger – logging configuration

• *Error.html – HTML templates for error messages

• localLogout.html

– SP-only logout template

• globalLogout.html

– single logout template

92

Recommendation:

Adapting *.html files to match the look & feel of the protected

application improves user experience.

(92)

shibboleth2.xml structure

Outer elements of the shibboleth2.xml configuration file

<RequestMapper> Needed for session initiation and access control <ApplicationDefaults> Contains the most important settings of your SP <SecurityPolicies>

(93)

ApplicationDefaults structure

You are most likely to change something in here:

• <ApplicationDefaults>

– <Sessions> Defines handlers and how sessions are initiated and managed – <Errors> Used to display error messages. Provide here logo, e-mail and CSS

– <RelyingParty> (*) To modify settings for certain IdPs/federations – <MetadataProvider> Defines the metadata to be used by the SP – <TrustEngine> Which mechanisms to use for signatures validation – <AttributeExtractor> Attribute map file to use

– <AttributeResolver> Attribute resolver file to use – <AttributeFilter> Attribute filter file to use

– <CredentialResolver> Defines certificate and private key to be use – <ApplicationOverride> (*) Can override any of the above for certain

applications

(94)

Logging

• First thing to do in case of problems

• shibd.log and transaction.log written by shibd,

native.log written by Shibboleth module/filter

• *.logger files contain predefined settings for output

location and default logging level (INFO) along with

useful categories to raise to DEBUG

(95)

Logging

• Raise categories

• To implement *.logger changed:

• Try again https://$WORKSH_HOST/secure/

96

$ vim $SHIB_CONF/shibd.logger

log4j.rootCategory=DEBUG, shibd_log

$ touch shibboleth2.xml

(96)

Metadata features

• Metadata describes the other components (IdPs) that

the Service Provider can communicate with

• Four primary methods built-in:

– Local file (you manage it)

– Remote file (periodic refresh, local backup) – Dynamic resolution of entityID (=URL)

– "Null" source that disables security (“OpenID” model)

• Security comes from metadata filtering, either by you or

the SP:

– Signature verification – White and blacklists

(97)

Signature verification

• The Test IdPs metadata is signed. Until now, it was

loaded without checking, which is not secure and not

recommended!

• First, increase security:

$SHIB_CONF/shibboleth2.xml

Uncomment MetadataFilter for signature verification:

98

<MetadataProvider type="XML” […]

uri=“https://worksh-idp.cc.kuleuven.be/idp-metadata.xml”>

(98)

Signature verification

• Run

• … and in the output you will see:

WARN OpenSAML.MetadataFilter.Signature [3]: filtering out

group at root of instance after failed signature check:

ERROR OpenSAML.Metadata.Chaining [3]: failure initializing

MetadataProvider: SignatureMetadataFilter unable to

verify signature at root of metadata instance.

• Metadata could not be loaded because it was signed

with a different key (we “broke” the setup). So, let‟s get

the right key…

$ shibd –tc $SHIB_CONF/shibboleth2.xml

(99)

Signature verification

• Get certificate from IdP:

• Then fix it:

$SHIB_CONF/shibboleth2.xml

• Run again

100 $ cd $SHIB_CONF $ wget https://worksh-idp.cc.kuleuven.be/worksh-idp.cc.kuleuven.be.pem <MetadataProvider type="XML” […] > <MetadataFilter type="Signature“ certificate=“worksh-idp.cc.kuleuven.be.pem"/> </MetadataProvider> $ shibd –tc $SHIB_CONF/shibboleth2.xml

(100)

Configuration

• Basic configuration

• Attribute handling

• Session Initiation

• Access control

• Adding a separate application

• Service provider handlers

(101)

Attribute handling

Goals:

1. Understand how attributes are transported 2. Learn how attributes are mapped and filtered 3. See how attributes can be used as identifiers 4. Add an attribute mapping and filtering rule

(102)

SP attribute terminology

• Push

Delivering attributes with SSO assertion via web browser • Pull

Querying for attributes after SSO via back-channel (SP -> IdP) • Extraction

Decoding SAML information into neutral data structures mapped to environment or header variables

• Filtering

Blocking invalid, unexpected, or unauthorized values based on application or community criteria

• Resolution

Resolving a SSO assertion into a set of additional attributes (e.g. queries)

(103)

Scoped attributes

• Common term for attributes that consist of a relation between a value and a scope, usually an organizational domain name E.g. affiliation = “[email protected]”

• Makes values globally usable or unique

• Lots of special treatment in Shibboleth to make them more useful and "safe"

• Alternatively, split value and scope into separate attributes: affiliation=“student” and homeOrganization=“kuleuven.be”

(104)

Attribute mappings

• SAML attributes from any source are "extracted" using

the configuration rules in

/etc/shibboleth/attribute-map.xml

• Each element is a rule for decoding a SAML attribute

and assigning it a local id which becomes its mapped

variable name

• Attributes can have one or more id and multiple

attributes can be mapped to the same id

• The id can also be used as header name in the

webserver for this attribute

(105)

Dissecting an Advanced Attribute Rule

• id

The primary "id" to map into, also used in web server environment • aliases

Optional alternate names to map into • name

SAML attribute name or NameID format to map from • AttributeDecoder xsi:type

Decoder plugin to use (defaults to simple/string) • caseSensitive

How to compare values at runtime (defaults to true)

106

<Attribute id="affiliation" aliases="aff affil"

name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"> <AttributeDecoder xsi:type="ScopedAttributeDecoder"

caseSensitive="false"/> </Attribute>

(106)

Adding attribute mappings

• Add first and lastname SAML 2 attribute mappings:

$SHIB_CONF/attribute-map.xml

• After saving, changes take effect immediately but NOT

for any existing sessions

• Therefore, restart your browser (or delete your session

cookies) and continue on next slide …

<Attribute

name="urn:oid:2.5.4.4" id="sn” aliases=“surname”/> <Attribute

(107)

K.U.Leuven attribute mappings

• Attribute-map made compatible with 1.3 naming

conventions

$SHIB_CONF/shibboleth2.xml

108

<!–

-->

<AttributeExtractor type="XML"

uri="https://shib.kuleuven.be/download/sp/2.x/attribute-map.xml" backingFilePath="attribute-map.xml" reloadInterval="7200"/>

(108)

Common identifiers

• Local userid/netid/uid (“intranet userid”), e.g. “u1234567”

Usually readable, persistent but not permanent, often reassigned, not unique

• email address, e.g. [email protected]

Usually readable, persistent but not permanent, often reassigned, unique

• eduPersonPrincipalName, e.g. [email protected]

Usually readable, persistent but not permanent, can be reassigned, unique

• eduPersonTargetedID / SAML 2.0 persistent ID

(109)

Common identifiers

Legacy attribute placeholder for the SAML 2.0

persistent NameID format:

– opaque

– pairwise (IdP/SP)

– original motivation was privacy, but strongest features are lack of reassignment and immunity to name changes

In web server environment, persistentId=

https://worksh-idp.cc.kuleuven.be! https://worksh-rh-1.cc.kuleuven.be!stringupto256chars 110 <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://worksh-idp.cc.kuleuven.be" SPNameQualifier="https://worksh-rh-1.cc.kuleuven.be"> stringupto256chars </saml:NameID>

(110)

REMOTE_USER

• Special single-valued variable that all web applications

should support for container-managed authentication of

a unique user.

• Any attribute, once extracted/mapped, can be copied to

REMOTE_USER

• Multiple attributes can be examined in order of

preference, but only the first value will be used.

• IIS doesn‟t support to set the REMOTE_USER

(111)

Changing REMOTE_USER

• In case your application needs to have a remote user for

authentication, you just could make Shibboleth put an attribute (e.g. ”sn”) as REMOTE_USER:

$SHIB_CONF/shibboleth2.xml

• REMOTE_USER=”sn eppn persistent-id targeted-id" • If sn attribute is available, it will be put into REMOTE_USER • Attribute sn has precedence over eppn in this case

• This allows very easy “shibbolization” of some web applications

(112)

Attribute filtering

• Answers the "who can say what" question on behalf of an application

• Service Provider can make sure that only allowed attributes and values are made available to application

• Some examples:

– constraining the possible values or value ranges of an attribute (e.g. eduPersonAffiliation, telephoneNumber, ....)

– limiting the scopes/domains an IdP can speak for

(e.g. university x cannot assert [email protected]) – limiting custom attributes to particular sources

(113)

Default filter policy

• As default, attributes are filtered out unless there is a rule! • Shared rule for legal affiliation values

• Shared rule for scoped attributes

• Generic policy applying those rules and letting all other attributes through.

• Check $SHIB_LOG/shibd.log for signs of filtering in case of problems with attributes not being available.

You would find something like “no rule found, removing all values of attribute (#attribute name#)“

114

(114)

Configuration

• Basic configuration

• Attribute handling

• Session Initiation

• Access control

• Adding a separate application

• Service provider handlers

(115)

Session initiation

Goals:

1. Learn how to initiate a Shibboleth session

2. Understand their advantages and disadvantages 3. Know where to require a session, what to protect

(116)

Content protection and session initiation

• Before access control (will be covered later on) can occur, a Shibboleth session must be initiated

• Session initiation and content protection go hand in hand • Requiring a session means the user has to authenticate • Only authenticated users can access protected content

(117)

Content protection settings

Protect hosts, directories, files or queries • Apache

.htaccess (dynamic) or httpd.conf (static) • Apache / IIS / other

RequestMap

Requires Shibboleth to know exact hostname

Very powerful and flexible thanks to boolean/regex operations

• Try accessing https://$WORKSH_HOST/

You should get access because the directory is not protected

118

(118)

Content protection with .htaccess

• Prepare webserver

(<Directory name=“$DOCROOT”>)

• Let‟s protect the directory by requiring a Shibboleth

session:

Synonym for the last line (used in Shibboleth 1.3): ShibRequireSession On AllowOverride AuthConfig $ mkdir $DOCROOT/secure2 $ vim $DOCROOT/secure2/.htaccess AuthType shibboleth require shibboleth ShibRequestSetting requireSession 1

(119)

Test content protection rule

• Clear session and then access

https://$WORKSH_HOST/secure2

• Authentication is enforced and access should be

granted

• By now, all authenticated users get access

• Content protection with authorization will be covered

later

(120)

Content protection with RequestMap

$SHIB_CONF/shibboleth2.xml

• Module (mod_shib or ISAPI filter) provides request URL

to shibd to process it

• Clearing session and then accessing /secure2/ now,

one also is forced to authenticate

$ vim $DOCROOT/secure2/.htaccess AuthType shibboleth

require shibboleth

(121)

RequestMap “Fragility”

• By default, Apache "trusts" the user‟s web browser about what the requested hostname is and reports that value internally

• To illustrate the problem, try accessing this URL: https://$IP/secure2

Script can be accessed unprotected/without a session… ? • How to fix? Make Apache use configured ServerName

httpd.conf

• IIS: normalizeRequest

https://spaces.internet2.edu/display/SHIB2/NativeSPISAPI

122

(122)

Lazy Sessions

• The mode of operation so far prevents an application

from running without a login.

• Two other very common cases:

– Public and private access to the same resources – Separation of application and SP session

• Semantics are:

if valid session exists

– process it as usual (attributes in environment array, REMOTE_USER, etc.)

But if a session does NOT exist or is invalid, ignore it

and pass on control to webserver/scripts

(124)

Lazy Sessions example

• Construct URL

https://$WORKSH_HOST/Shibboleth.sso/Login

?target=https://$WORKSH_HOST/Shibboleth.sso/Session – Shibboleth handler: https://$WORKSH_HOST/Shibboleth.sso

– Session Initiator: /Login

– Target location: ?target=https://$WORKSH_HOST/Shibboleth.sso/Session – Other options:

https://spaces.internet2.edu/display/SHIB2/NativeSPSessionCreationParameters

• Most parameters can come from three places, in order

of precedence:

– Query string parameter to Shibboleth handler

– A content setting (Webserver config or RequestMap) – <SessionInitiator> element

(125)

Lazy Sessions example

• IIS: RequestMap entry for secure3

• Save PHP/ASP script from

worksh-idp.cc.kuleuven.be: /home/shib/ShibbolethSPWorkshop/examples/lazy_session.[php|asp]

at

$DOCROOT/secure3/lazy_session.[php|asp] Access https://$WORKSH_HOST/secure3/lazy_session.[php|asp] 126 $ vim $DOCROOT/secure3/.htaccess AuthType shibboleth require shibboleth

(126)

Where to require a Shibboleth session

• Whole application with “required” Shibboleth session

– Easiest way to protect a set of documents

– No other authentication methods possible like this

• Whole application with “lazy” Shibboleth session

– Also allows for other authentication methods – Authorization can only be done in application

• Only page that sets up application session

– Well-suited for dual login

– Application can control session time-out – Generally the best solution

(127)

Configuration

• Basic configuration

• Attribute handling

• Session Initiation

• Access control

• Adding a separate application

• Service provider handlers

• Session Initiators/Discovery

(128)

Access control

Goals:

1. Create some simple access control rules

2. Get an overview about the three ways to authorize users 3. Understand their advantages and disadvantages

(129)

Access control

• Two implementations are provided by the SP:

– .htaccess "require" rule processing

– XML-based policy syntax attached to content via RequestMap

• Third option: Integrate access control into

webapplication

130

(130)

Access control

1.a httpd.conf 1.b .htaccess 2. XML

AccessControl

3. Application Access Control

 Easy to configure

 Can also protect locations or virtual files  URL Regex  Dynamic  Easy to configure  Platform independent  Powerful boolean rules  URL Regex  Dynamic

 Very flexible and powerful with

arbitrarily complex rules

 URL Regex Support

 Only works for Apache

 Not dynamic

 Very limited rules

 Only works for Apache

 Only usable with “real” files and directories  XML editing  Configuration error can prevent SP from restarting  You have to implement it yourself  You have to maintain it yourself

+

(131)

-1. Apache httpd.conf or .htaccess

• Work almost like known Apache “require” rules

• Special rules:

– shibboleth (no authorization)

– valid-user (require a session, but NOT identity) – user (REMOTE_USER as usual)

– group (group files as usual)

– authnContextClassRef, authnContextDeclRef

• Default is boolean "OR”, use ShibRequireAll for AND rule • Regular expressions supported using special syntax:

132

require affiliation staff

require sn bar

(132)

Side note: Aliases

• If in the attribute-map.xml file, there is a definition like:

• This allows using rules aliases in authorization rules, e.g.:

• Aliases can also be used in RequestMap

<Attribute

name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="Shib-EP-Affiliation"

aliases="affiliation aff affil"> […]/>

require affiliation staff #instead of

(133)

1. Example .htaccess file

• Require a user to be staff member

$DOCROOT/staff-only/.htaccess

• Access

https://$WORKSH_HOST/staff-only

with user “staff”, access should be granted

• Try the same with “shib

N

” user, access should be

denied

134

AuthType Shibboleth

ShibRequestSetting requireSession 1 require unscoped-affiliation staff

(134)

1. Advanced .htaccess file

• Require a user to be a student or to have an entitlement:

Access:

https://$WORKSH_HOST/toledo

with user “student” and “staff”, access should be

granted.

• Try again with “shib

N

”, access should be denied.

AuthType Shibboleth

ShibRequestSetting requireSession 1 require unscoped-affiliation student require entitlement ~ .*toledo.*

$ mkdir $DOCROOT/toledo

(135)

2. XML access control

• Can be used for access control independent from web

server and operating system

• XML Access control rules can be embedded inside

RequestMap or can also be dynamically loaded from

external file.

WARNING: Can bring down entire webserver

• Same special rules as .htaccess, adds boolean

operators (AND,OR,NOT)

(136)

2. XML access control example

• Same as previous example but now with XML access

control embedded in RequestMap

AuthType Shibboleth require shibboleth $ vim $DOCROOT/toledo/.htaccess $ vim $SHIB_CONF/shibboleth2.xml <Host name=“$WORKSH_HOST"> [..]

<Path name=“toledo" authType="shibboleth" requireSession="true"> <AccessControl> <OR> <RuleRegex require="entitlement">.*toledo.*</RuleRegex> <Rule require="unscoped-affiliation">student</Rule> </OR> </AccessControl>

(137)

3. Application managed access control

• Application can access and use Shibboleth attributes by

reading them from the web server environment

• Attributes then can be used for authentication/access

control/authorization

138 #PHP: if ($_SERVER[„affiliation‟] == „staff‟) { grantAccess() } #Perl: if ($ENV{„affiliation‟} == „staff‟) { &grantAccess() } #ASP: if (Request.ServerVariables(„affiliation‟) == „staff‟ ){ { grantAccess() } http://shib.kuleuven.be/download/sp/test_scripts/

(138)

3. Application managed access control

• Default is to use environment variables instead of HTTP

headers (Apache)

– Cannot be manipulated in any way from outside

• Unfortunately not all webservers support a mechanism

to create custom variables within webserver

(IIS,Sun/iPlanet)

Solution:

AuthType shibboleth ShibRequestSetting requireSession 1 require shibboleth ShibUseHeaders On

(139)

Configuration

• Basic configuration

• Attribute handling

• Session Initiation

• Access control

• Adding a separate application

• Service provider handlers

• Session Initiators/Discovery

(140)

Adding a separate (Shibboleth) application

Goals:

1. Define another application 2. Protect new application

(141)

Terminology

• Service Provider (physical)

– An installation of the software on a server

• Service Provider/”Resource” (logical)

– Web resources viewed externally as a unit – Each entityID identifies exactly one logical SP

• SP Application

– Web resources viewed internally as a unit

– Each applicationId identifies exactly one logical application – A user session is bound to exactly one application

(142)

Virtualization concepts

• A single physical SP can host any number of logical SPs – A logical SP can then include any number of "applications" – Web virtual hosting is often related but is also independent – Applications can inherit or override default configuration

settings on a piecemeal basis

• Multiple physical SPs can also act as a single logical SP – Clustering for load balancing and failover

(143)

Adding an application

• Goal: Add a second application with a different entityID

living in its own virtual host

$SHIB_CONF/shibboleth2.xml

144

<Host name=“$IP” applicationId="alt"/>

[..]

<ApplicationOverride id="alt" entityID="https://$IP"/> </ApplicationDefaults>

(144)

Adding an application

• For the additional application, canonical names should

be turned off again (unless you use Vhosts)

httpd.conf

• Test application:

https://$IP/secure

• The IdP will throw an ERROR (entityID is not trusted)

Error Message: SAML 2 SSO profile is not configured for relying party 'https://10.2.4.N'

• Check logging $SHIB_LOG/shibd.log and

$WEB_LOG/native.log (DEBUG)

You should see the new entityID

(145)

Adding an application

• <ApplicationOverride>

R

ule of thumb is that any settings you don't override inside

the element will be inherited from the

<ApplicationDefaults>

element that surrounds the

override

.

– Limitations:

You have to supply all the settings needed in the <Sessions> element because of the need to override the handlerURL.

You do NOT have to redefine all of the handler child elements.

• The handlerURL MUST be unique for each SP and MUST

map to the same applicationId

• Respect the XML sequence!

146 https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride

(146)

Clustering

• Configure multiple physical installations to share an

entityID, and possibly credentials

• Configuration files often can be identical across

servers that share an external hostname

• Session management:

– SP itself now clusterable via ODBC or memcached

– Host shibboleth service on one system

(147)

Configuration

• Basic configuration

• Attribute handling

• Session Initiation

• Access control

• Adding a separate application

• Service provider handlers

• Session Initiators/Discovery

(148)

Service provider handlers

Goals:

1. Understand the idea of a handler

2. Get an overview about the different types of handlers 3. Know how to configure them if necessary

(149)

SP handlers

• "Virtual" applications inside the SP with API access:

– SessionInitiator (requests) • E.g. /Shibboleth.sso/Login

– AssertionConsumerService (incoming SAML response) • E.g. /Shibboleth.sso/SAML/POST

– LogoutInitiator (SP signout) • E.g. /Shibboleth.sso/Logout

– SingleLogoutService (incoming SLO)

– ManageNameIDService (advanced SAML) – ArtifactResolutionService (advanced SAML) – Generic (diagnostics, other useful features)

E.g. /Shibboleth.sso/Session /Shibboleth.sso/Status /Shibboleth.sso/Metadata

150

(150)

SP handlers

• The URL of a handler =

handlerURL + the Location of the handler.

– e.g. for a virtual host testsp.example.org with handlerURL of "/Shibboleth.sso", a handler with a Location of "/Login" will be

https://testsp.example.org/Shibboleth.sso/Login

• Handlers aren‟t always SSL-only, but usually should be (handlerSSL="true").

• Metadata basically consists of entityID, keys and handlers • Handlers are never "protected" by the SP

(151)

Configuration

• Basic configuration

• Attribute handling

• Session Initiation

• Access control

• Adding a separate application

• Service provider handlers

• Session Initiators/Discovery

(152)

Session initiators/Discovery

Goals:

1. Understand the concepts of discovery/session initiation 2. Chains and protocol precedence

(153)

Session initiators / Discovery concepts

• Session initiator

Handler that created a SAML authN request for an IdP or uses a discovery mechanism to identify the IdP

• Discovery (in Shibboleth)

Identifying the IdP of a particular user • WAYF service

Old name in Shibboleth for a particular way to do discovery • Handler chain

Sequence of handlers that share configuration and run

consecutively until “something useful happen” or an error occurs

154

(154)

Intranet case

• Single IdP, multiple protocols, no discovery:

• Protocol precedence controlled by order of

SessionInitiators within a chain

• Common properties defined at the top are

inherited by SessionInitiators in chain

id="Intranet" isDefault="true" relayState="cookie" entityID="urn:mace:kuleuven.be:kulassoc:kuleuven.be"> <SessionInitiator type="SAML2" defaultACSIndex="1"

template="bindingTemplate.html"/>

<SessionInitiator type="Shib1" defaultACSIndex="5"/> </SessionInitiator>

(155)

Change protocol precedence

• Example: switch order of chain

• Still allows either protocol, but if the IdP supports

Shibboleth profile of SAML1, it will be preferred

156

id="Intranet" isDefault="true" relayState="cookie" entityID="urn:mace:kuleuven.be:kulassoc:kuleuven.be"> <SessionInitiator type="Shib1" defaultACSIndex="5"/>

<SessionInitiator type="SAML2" defaultACSIndex="1" template="bindingTemplate.html"/>

(156)

Identity provider discovery

• Protocol SessionInitiators work when the IdP is known

• For consistency, discovery is implemented with

alternate SessionInitiators that operate only when the

IdP is NOT known

• A typical federated chain includes one or more

"protocol" handlers followed by a single "discovery"

handler at the end, like a safety net

(157)

Typical discovery methods

• External options:

– Older WAYF model, specific to Shibboleth/SAML1, SP loses control if a problem occurs

– Newer SAMLDS model, recently standardized, supports multiple SSO protocols and allows the SP to control the process

• Internal options:

– Implemented by an application (e.g. Toledo) – Followed by a redirect with the entityID:

/Shibboleth.sso/Login?entityID=urn:mace:kuleuven.be:kulassoc:kuleuven.be – Advanced "Cookie", "Form", and "Transform" SessionInitiators

(158)

Discovery service case (default)

• Multiple protocols, discovery via DS:

• Same as intranet case, but omits entityID and adds the

safety net at the bottom

• Last SessionInitiator in chain tells the DS to return the

user to this location with a lazy session redirect that will

invoke an earlier handler (SAML2 or Shib1) in the chain

<SessionInitiator type="Chaining" Location="/DS"

id=“DS" isDefault="true" relayState="cookie”> <SessionInitiator type="SAML2" defaultACSIndex="1"

template="bindingTemplate.html"/>

<SessionInitiator type="Shib1" defaultACSIndex="5"/>

<SessionInitiator type="SAMLDS"

URL="https://wayf.associatie.kuleuven.be/shibboleth-wayf/WAYF"/>

(159)

External discovery/WAYF

– Easy to use

– Choice can be cached in cookie – DS displays only applicable IdPs – Loss of control, UI fidelity

– Impact of errors

– List of IdPs can become very long

160