Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Databases

Shib Website Hosting on Azure 2

advertisement 
Hosting a SAML-protected
Web Site in Microsoft Azure
Eric Kool-Brown
Software Engineer
University of Washington IT
A SAML Protected Web Site
SAML in Azure - Windows in Higher Ed
2
SAML in Azure - Windows in Higher Ed
3
SAML: what is it?
Security Assertion Markup Language and
much more
• A token format (using this language)
• A set of authentication protocols
• A set of bindings for the transfer of the
protocol elements
• A set of OASIS specifications ratified in
2005
SAML in Azure - Windows in Higher Ed
4
Some Terminology
• SAMLP – used to differentiate the protocol
from the token format
• Service Provider – a protected web site,
a.k.a. Relying Party
• IdP – identity provider, a.k.a. security
token service
• Shibboleth – the community-developed
reference implementation of SAML
SAML in Azure - Windows in Higher Ed
5
Campus Datacenter
Credential
Datastore
Databases
Web App
Shib IdP
Hosting a ShibbolethProtected Web Site
Locally
User
Public Internet
SAML in Azure - Windows in Higher Ed
6
Campus Datacenter
Azure
Credential
Datastore
Databases
Web App
Shib IdP
Hosting a ShibbolethProtected Web Site
In Azure
User
Public Internet
SAML in Azure - Windows in Higher Ed
7
Public Internet
Route to
Public Internet
Azure
Azure
DNS/
Load
Balancer
Campus Datacenter
Azure
Virtual
Network
Campus
Subnet
List
Site-to-Site Protected
Data Connection
Azure VPN Gateway
Hardware VPN
Gateway
Campus Servers
Azure VMs
Azure Networking
SAML in Azure - Windows in Higher Ed
8
SAML in Azure - Windows in Higher Ed
9
Options, We’ve Got Options
• Upload your Shibboleth SP VHD as an
Azure VM
– Could be either Linux or Windows
• Host WIF web app in an Azure web site
and use ADFS as a protocol translator
• Use WIF and the SAMLP CTP extension
• Host Shibboleth SP as an Azure cloud
service
SAML in Azure - Windows in Higher Ed
10
Azure Virtual Machine
• Use an MS-supplied OS image or upload
your own (Linux or Windows)
– If the former, upload web app remotely
– If the latter, can configure locally, then upload
the entire VHD
• VM bits stored in triple redundant Azure
blob storage
• Scaling up requires manual configuration
SAML in Azure - Windows in Higher Ed
11
Azure VM Details
• Windows OS licensing: monthly cost of using
MS-supplied Windows image includes OS
licensing fee
• DNS needs to be configured in Azure; you
supply a validated DNS name and Azure
supplies the VIP for that name
• Adding instances for scaling requires manual
configuration
• Ditto for monitoring
SAML in Azure - Windows in Higher Ed
12
Azure Web Sites
• Write web app in Visual Studio and deploy
to Azure from VS
• Use WIF to “claims enable” your web app
via its support for WS-Federation
– WIF does not support SAMLP
• Use AD FS to translate from WSFederation to SAMLP
• Azure handles scaling to add instances
and configures load balancing
SAML in Azure - Windows in Higher Ed
13
Add a Cloud Web App Project
SAML in Azure - Windows in Higher Ed
14
Configure the Project
SAML in Azure - Windows in Higher Ed
15
Configure WS-Fed
SAML in Azure - Windows in Higher Ed
16
Sign-in to Azure
SAML in Azure - Windows in Higher Ed
17
Publish to Azure
SAML in Azure - Windows in Higher Ed
18
AD FS as a Protocol Translator
SAML in Azure - Windows in Higher Ed
19
Azure Web Sites Redux
• MS released a CTP extension to WIF 4.0
that supported SAMLP
• May be NLA and is certainly not supported
by MS
• One UW web application in production
using this CTP
• WIF 4.5 re-architected, the CTP won’t
work with it (and claims-based web apps
need to be re-written)
SAML in Azure - Windows in Higher Ed
20
Azure Cloud Service
• Web roles and worker roles
• Web role much more configurable than an
Azure web site
• Shibboleth SP can be automatically
installed using a startup script
• See my blog posts starting with
http://blogs.uw.edu/kool/2013/06/20/hostin
g-a-shibboleth-sp-web-site-in-azure-part-1/
SAML in Azure - Windows in Higher Ed
21
Create a Cloud Service Project
SAML in Azure - Windows in Higher Ed
22
Add Roles to the Service
SAML in Azure - Windows in Higher Ed
23
Choose the Type of Web App
SAML in Azure - Windows in Higher Ed
24
Config and Definition Files
SAML in Azure - Windows in Higher Ed
25
Shibboleth SP Install Task
SAML in Azure - Windows in Higher Ed
26
Shib SP Files in Project
SAML in Azure - Windows in Higher Ed
27
echo calling msiexec to run the Shib MSI >> %temp%\install-shib.txt 2>&1
msiexec.exe /i Shibboleth-SP\shibboleth-sp-2.5.1-win64.msi /quiet /L*v %temp%\shib-msi.txt /norestart
echo calling xcopy to copy the config files >> %temp%\install-shib.txt 2>&1
xcopy /y /q Shibboleth-SP\*.xml c:\opt\shibboleth-sp\etc\shibboleth
xcopy /y /q Shibboleth-SP\*.pem c:\opt\shibboleth-sp\etc\shibboleth
xcopy /y /q "%systemdrive%\Program Files\Shibboleth\SP\lib\*.dll" c:\opt\shibboleth-sp\lib64\shibboleth
echo calling appcmd to add the ISAPI handler >> %temp%\install-shib.txt 2>&1
%windir%\System32\inetsrv\appcmd.exe set config /section:handlers
/+[name='ShibbolethSP',path='*.sso',verb='*',modules='IsapiModule',scriptProcessor='C:\opt\shibboleth-sp\
lib64\shibboleth\isapi_shib.dll',requireAccess='Script',responseBufferLimit='0']
echo calling appcmd to add the ISAPI filter >> %temp%\install-shib.txt 2>&1
%windir%\System32\inetsrv\appcmd set config /section:isapiFilters /+[name='Shibboleth',path='C:\opt\shibboleth-sp\
lib64\shibboleth\isapi_shib.dll',preCondition='bitness64']
echo calling appcmd to remove the ISAPI filter restriction >> %temp%\install-shib.txt 2>&1
%windir%\System32\inetsrv\appcmd set config /section:isapiCgiRestriction /+[path='C:\opt\shibboleth-sp\
lib64\shibboleth\isapi_shib.dll',description='ShibbolethWebServiceExtension',allowed='True']
echo calling icacls to grant User execute to the Shib folders so the ISAPI filter will load >> %temp%\install-shib.txt 2>&1
icacls c:\opt /grant "Users":(OI)(CI)(RX)
echo calling icacls to grant NetworkService write to the Shib logging folder so the ISAPI filter can log >>
%temp%\install-shib.txt 2>&1
icacls c:\opt\shibboleth-sp\var\log\shibboleth /grant "NetworkService":(OI)(CI)(RX,M)
echo restarting the Shib service to pick up the config changes >> %temp%\install-shib.txt 2>&1
net stop shibd_Default
net start shibd_Default
SAML in Azure - Windows in Higher Ed
28
Publishing
• Similar to publishing an Azure web app
from Visual Studio
• Takes longer to start due to time taken to
install the Shib SP
• The install script is re-run each time an
instance is spun up
SAML in Azure - Windows in Higher Ed
29
Questions?
SAML in Azure - Windows in Higher Ed
30
Links
•
•
•
•
•
•
•
Series of 5 blog posts on hosting a Shib SP in Azure:
http://blogs.uw.edu/kool/2013/06/20/hosting-a-shibboleth-sp-web-site-in-azurepart-1/
Test web site: https://uwshibsp.cloudapp.net/
Note that it is using a self-signed cert, so be prepared for browser warnings
Azure Portal: https://manage.windowsazure.com/
Azure Site-to-Site VPN: http://msdn.microsoft.com/enus/library/azure/dn133798.aspx
Azure VPN Walkthrough: http://jeffgraves.me/2012/10/26/windows-azure-vpnwalkthrough/ (from 2012)
Azure Load Balancer: http://msdn.microsoft.com/enus/library/azure/dn655058.aspx (VMs can have multiple "endpoints")
Example of confusion between SAML token format and SAML
protocol: http://stackoverflow.com/questions/11342186/windows-identityfoundation-does-not-officially-support-saml-2-0-use-wif-ctp-or
SAML in Azure - Windows in Higher Ed
31
The University of Washington is one of the world’s preeminent
universities and a recognized leader in educating the next
generation of leaders, thinkers and doers. A multi-campus institution
comprising UW Seattle, UW Tacoma and UW Bothell, as well as a
world-class academic medical center, the UW is a focal point of the
Puget Sound region’s intellectual and cultural life and a key
contributor to Washington’s increasingly global reputation as a
center of innovation and change. A progressive and quintessentially
Northwest institution with a uniquely innovative and creative culture,
the UW is driven to lead by successfully integrating the full assets of
the university and its rich environs to address key issues of pressing
human concern that make a lasting difference in the Northwest and
around the world.
SAML in Azure - Windows in Higher Ed
32
Related documents
與Windows Azure 整合
與Windows Azure 整合
Becoming an Entrepreneur 101 for Students and
Becoming an Entrepreneur 101 for Students and
Open Tech OSS Communities 042713
Open Tech OSS Communities 042713
DEMO Windows Azure Networking
DEMO Windows Azure Networking
System Center 2012 R2 Overview Deck
System Center 2012 R2 Overview Deck
Cloud Computing Chap..
Cloud Computing Chap..
Deployment Options for Kentico CMS in Windows Azure
Deployment Options for Kentico CMS in Windows Azure
WindowsAzureVirtualMachines
WindowsAzureVirtualMachines
FY15 Azure BIF Offers
FY15 Azure BIF Offers
Presentation - Paul Turley`s SQL Server BI Blog
Presentation - Paul Turley`s SQL Server BI Blog
Download
advertisement