Using Shibboleth for Single
Sign-On
One Logon to Rule them all…..
Kirk Yaros
Director, Enterprise Services Mott Community College
Agenda
•
Overview of Mott
•
Overview of Shibboleth and Mott
’
s Project
•
Review each service (setup / gotchas)
Overview of Mott Community College
•
Est. 1923
•
Main Campus – Flint, MI
–
8 remote sites
SSO – Project
“
A single username / password
”
OR
Shibboleth Project
• Started: 01/2013 – Rolled out 09/2013
• Started with three services (Email, Blackboard, Portal)
• Prevalent use of Active Directory on back-end
• Ellucian recommending “TMG” (end of life)
Shibboleth Project
•
Total Cost: $22,500
– $15 Licensing – 9Star for Sharepoint 2010
– $7500 consulting setup of Sharepoint 2013
•
Players:
– Marc (The Man) – Setup IDP, configured GMAIL, BB
– Sheila (Network Analyst) – Sharepoint / WebAdvisor
– Kirk (Development) – IIS SP, Custom Development
Services Covered
•
Services on Shibboleth
– Google Apps for Education (Mail / Calendar / Apps)
– WebAdvisor
– Blackboard
– Portal (Sharepoint 2010 / 2013)
– Custom Web Development (.NET / PHP Applications)
– Omni Content Management
– Third Party Vendors (PNC Bank)
•
Indirectly
Services NOT Covered
•
Datatel (UI)
– Currently has Oracle Username
– Only available on campus
– Intentionally not SSO
•
Other Services
What is Shibboleth
“The Shibboleth project was started in 2000 under the MACE working group to address problems in sharing resources between organizations with often wildly different authentication and authorization
infrastructures. Architectural work was performed for over a year prior to any development. After an alpha, two betas, and two point releases were distributed to testing communities, Shibboleth 1.0 was released on July 1, 2003.[1] Shibboleth 1.3 was released on August 26, 2005,
with several point releases since then. Shibboleth 2.0 was released on March 19, 2008”
What is Shibboleth
• Shibboleth Open Source “Implementation” of SAML
• “Federated” Security
• SP / IDP do not have to be in the same organization (domain)
• Leverages public / private key cryptography
• Consists of two (three) main components
– IDP (Identity Provider) – Authentication mechanism, talks with
your directory server. Can be on Linux, Windows (others) – SP (Service Provider) – The service itself
What is Shibboleth
User Accesses Resource
Shib SP (Service
Provider) Shib IDP (Identity
Provider) Directory (AD)
MetaData LDAP / Kerberos Shib SP (Service Provider) User Accesses Resource Shib IDP (Identity Provider) Shib SP (Service Provider) User Accesses Resource
General Concepts
• All requests go through the SP and IDP
• Metadata can be made central and public key can be
embedded in public XML metadata
• SP’s can access more than one IDP
• IP’s can handle requests from multiple SP’s
• Attributes can be all or some to resources based upon
What is Shibboleth User Accesses Resource Shib SP (Service Provider) Shib IDP Directory (AD) MetaData Private Key Public Key Session Token User Attributes IDP Login Screen (Tomcat) Session?
Yes No Authentication
Response
Private Key
Initial Concerns / Questions
• Will you “spoil” your usernames?
• If No:
– Colleague change operators / Log ID’s will no longer be trustworthy – Student’s come back after 10 years
• If Yes:
– Things much easier, but usernames get ugly after a while “JohnSmith123”
Initial Concerns / Questions
• WebAdvisor (DRUS) screen
– Needed to be setup to allow for AD authentication
– Use of “domain” field (needs to be set)
• Update any “password change” functionality.
Demo
Services – Gmail (Google Apps)
1.
Access the Google Admin interface
2.
Configure the IDP URL
3.
Upload Key File (Certificate)
4.
Configure Login Redirect URL
Services – Gmail Considerations
• Need a method to sync password changes across AD
and Google Apps. (Most likely this is already taken care of)
• (going to use GAPS to sync now)
Services – Portal (Sharepoint)
•
Tried to get setup – (1 month)
•
Hired
“
Sharepoint
”
consultant
– Worked on it for 2-3 months – failed, said it couldn’t
be done
•
Found 9Star
– Said it can be done, needs special software
Services – Portal (Sharepoint)
• Sharepoint 2010 doesn’t support claims authentication
• Much more complicated
• Required use of 9Star Add-on Package
• Creates “Shadow groups”
9Star “ASFS”
Sharepoint IDP
Services – Portal (Sharepoint)
•
Use of ADFS3 linking to IDP
Sharepoint 2013
IDP ADFS3
Secure Token Service
Services – Custom Web Development
• Windows 2012 – IIS 7.0
• Installed Shibboleth – can configure itself. If not, in IIS
Manager:
1. Setup ISAPI Header
2. Configure extension (*.sso)
3. Change shibboleth.xml for service provider settings
1. Can include only the Web Site(s) that you want
2. Special configuration if you want a single IIS server to leverage 2 different IDP’s (can be done)
Services – Custom Web Development
Configuration “opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml”
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host scheme="https" name="appsdev.mcc.edu" >
<Path name="Secure" authType="shibboleth" requireSession="true"/> </Host>
</RequestMap> </RequestMapper>
Services – Custom Web Development
• Can user the same Server Variable “LOGON_USER” as you currently do for Windows Auth (no code changes)
• Allows embedding of services seamlessly (Portal / Custom)
– Timing of web parts was an issue (IPD doesn’t like simultaneous requests from same source)
• Shibboleth natively support spoofing techniques – we did not disable
Demo – Web Applications Integration
Services – Custom Development (Mobile)
•
Can leverage Bootstrap as css for Login Screen
•
Leverage a
“
mobile-first
”
development
paradigm.
•
Logon screen works on desktop / mobile
•
Use of PhoneGap to make an Android App,
Other Applications
•
Bank Refunds (PNC Bank)
– Had to use what is called “Unsolicited SSO” – Their requirement.
– This is a SAML 1.x “thing” (https://wiki.shibboleth.net/confluence/display/SHIB2/IdPUnsolicitedSSO)
• Usually in Shibboleth, the flow is assumed to be an SP requesting authentication by redirecting the client to the IdP, and then
getting back a response. In the original SAML 1.0 and SAML 1.1 standards, though, SSO was described in only semi-interoperable terms as a response from the IdP to the SP, and the "request" portion was left out. This was carried over into SAML 2.0 as a mode called "IdP-initiated" or "unsolicited" SSO.
• While this approach lacks interoperability, it has perceived benefits for some service providers; they get to do less work and push that work onto users and IdPs. So it isn't unusual to find SPs that refuse to support the standard fully and insist on this approach.
Other Applications – Omni CMS System
•
Omni CMS System
•
InCommon.Org –
– Offers trust services for education / research
institutions. (we had to work with them)
– http://www.incommon.org/about.html
How it’s Working
•
Working
“
quietly
”
behind the scenes
•
Very little work to maintain (other than system
maintenance)
•
Load is not an issue
– Red Hat (Enterprise) 6
– 2 Logical Processors
How it’s working – Future Changes
•
Many use a combination of CAS /
Shibboleth
•
Ellucian Identity Services (now available,
Recommendations
• Logging out – need to close browsers (we added a
message)
• SLO (Single Log Off) is difficult (not recommended)
– Web Application Session
– Service Provider Session
– Idp Session
Recommendations - Sessions Web Application 1 Shib SP (Service Provider) Shib IDP (Identity Provider)
Web Session – 15 min
SP Session – 20 min
Idp Session - 30 min
LDAP Auth Timeout 1 hour Web Application
2
Shib SP (Service Provider)
Web Session – 20 min
Recommendations
• Start with one system (make sure it works)
• Get session timeouts uniform from the get-go.
• First time setup, seems confusing:
– Lots of configuration Files (attribute resolving, attribute filter, AD Configuration, etc) – Get your keys right!
Light Reading
–
https://medium.com/@vrypan/explaining-public-key-cryptography-to-non-geeks-f0994b3c2d5
– https://shib.ncsu.edu/docs/shibworks.html
– https://shib.ncsu.edu/docs/shiblogindetails.html
– http://www.utexas.edu/its/help/shibboleth/2299
– https://wiki.brown.edu/confluence/display/CISDOC/Shibboleth
Q&A
