TEIN Shibboleth Training Course
Introduction to SAML/Shibboleth
at ComLabs USDI ITB, 2014-01-18
(updated version)
Identity Federation with
SSO/Shibboleth technology
Separation of Authentication (authN) and Authorization (authZ)


An IdP manages “Identity” information and authenticates users

SPs refer result of authN (e.g. PW is matched) and Identity info (assertion)

Federation provides “Trust” among IdPs and SPs by defining “policy”
SSO technology preserves privacy


IdP sends least attributes (personal information) to SP

SP should clarify list of required attributes (mandatory/optional)

IdP admin can obtain agreement from users to send out attributes
Without separation (past)
1st access, ID/PW
SP
user
2nd access, ID/PW
SP
With separation
- ID
- attr
- ID
- attr
1st access
user
2nd access
ID/PW (once)
2
SP
SP
redirection
assertion
IdP
- ID
- attr
1. Login by Fed
2. Select Home Org
3. Input ID & Pass
4. Complete Login
SAML
SP
DS
(Service Provider)
(Discovery Service)
3
SP
IdP
(Attribute)
(Identity Provider)
SP
(Service Provider)
Want to DL PPV Paper In CiNii
Redirect to IdP
Personal
Info DB
ID & Password
Please DL
TARO SUZUKI
User
He/She is a member
of our University
IdP
University
08/07
Want to DL from Science Direct as well
You have authned . Please
Want to update RefWorks record
You have authned . Please
Redirect to IdP, and
back immediately
(without entering
password)
Once they’ve logged in
then
Single Sign On
4
4
Search Paper
Read Paper
SSO


5
Facilitate Remote Access
Improve Usability by SSO etc.
Mange Paper
SSO
The Federation is


6
Secure, scalable and easy login architecture by
using international standard protocol: SAML
Authentication
Authorization
IdP
SP

Organization Name

Affiliation

Opaque ID

Mail Address

etc.

Standard that allows secure web domains to exchange user authn and authz data

Standardized by OASIS

Open Source project launched by EDUCAUSE/Internet2 in 2000

http://shibboleth.net/
De facto standard in academic access management federation


Widely utilized by European federations in addition to US
simpleSAMLphp mainly utilized by Nordic countries, will be the other choice

SAML
Standard
Shibboleth SP
Shibboleth IdP
User Info
LDAP
Something like a Filter which mediates SAML message
7
<saml2:AuthnStatement AuthnInstant="2012-06-24T17:12:05.463Z"
SessionIndex="ZZZZ">
<saml2:SubjectLocality Address="150.100.253.2" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>PasswordProtectedTransport</saml2:AuthnContextClassRef
>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="eduPersonAffiliation">
<saml2:AttributeValue xsi:type="xs:string">faculty</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
(continue)
8
(continued)
<saml2:Assertion ID="XXXX" IssueInstant="2012-06-24T17:23:34.237Z" Version="2.0">
<saml2:Issuer>https://idp.nii.ac.jp/idp/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:EncryptedID>
…
</saml2:EncryptedID>
<saml2:SubjectConfirmation Method="bearer">
<saml2:SubjectConfirmationData Address="150.100.253.2" InResponseTo="YYYY"
NotOnOrAfter="2012-06-24T17:28:34.237Z"
Recipient="https://mcus.nii.ac.jp/Shibboleth.sso/SAML2/POST" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2012-06-24T17:23:34.237Z" NotOnOrAfter="2012-0624T17:28:34.237Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://mcus.nii.ac.jp/shibboleth-sp</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
9

Redirection to collaborate among SP/DS/IdP



HTTP redirect
Javascript (automatic POST of assertion)
Cookie management

Memorize session information on




Selected IdP on DS (Discovery Service)
Status being authenticated on a IdP
Status being authorized on an SP
Session encryption with SSL Server Certificate

10
To protect Password and Cookies from wiretapping
IdP (Home Org)
SP (Resource Provider)
9
Access Approved
HTTPS
HTTPS
Attribu
tes
6
7
8
9
2
1
7
3
11
4
DS (Discovery Service)
4
5
User
1
http://www.switch.ch/aai/demo/
12
(Sequences on DS access omitted)
Assertion via
Front-channel
IdP
Assertion via
Back-channel
(7)
SP
(6)
IdP
(5)
SAML 2.0
(1):
(2):
(3):
(4):
(5):
13
(4)
(2) (3)
SP
(5)
(1)
User
SAML 1.3
access to SP
redirect to IdP
request for authentication
ID and password
assertion with attributes
(requires Javascript)
(1):
(2):
(3):
(4):
(5):
(6):
(7):
(4)
(2) (3)
(1)
User
access to SP
redirect to IdP
request for authentication
ID and password
handle for attribute request
request for attributes with handle
assertion with attributes
IdP (Home Org)
SP (Resource Provider)
9
Access Approved
Attribu
tes
6
7
8
9
2
1
7
Set Cookie
3
14
4
DS (Discovery Service)
4
5
User
1

IdP selection at DS


A month or longer
Will be cleared after browser closed


IdP session (you have been authenticated)


Will be cleared after browser close (logout by close)
Even if browser is not closed



You can choose when IdP selection (check box)
Session timeout is managed by IdP
Re-authentication may be required by change of IP address
at client side
SP session


15
Will be cleared after browser close (logout by close)
Clicking logout button on SP
Meta
data
Register
Distribute
(download)
Register
Distribute
(download)
IdP (Home Org)
DS (Discovery Service)
16
SP (Resource Provider)
User

Number of contract can be reduced from N×M
to N＋M by introducing a uniform policy
Trust Framework
IdP
many Contracts
SP
SP
IdP
SP
SP
IdP
IdP
T
F
P
SP
IdP
17
SP
IdP
Trust
Framework
Provider
SP
SP
Federation Metadata
Signed Info
IdP Info
・IdP-A Info
・IdP-B Info
・・・・・
・・・・・
Entity Metadata (IdP)
・ID of IdP-A＝entityID
・Certificate
・Protocol
・Organization Info
・・・・・
Entity Metadata (SP)
SP Info
・SP-A Info
・SP-B Info
・・・・・
・・・・・
18
・ID of SP-A＝entityID
・Certificate
・Protocol
・Organization Info
・・・・・
SP B
SP C
SP A
Federation
Federation
Metadata
Repository
DS (Discovery Service)
Entity
Metadata
IdP A
IdP B
IdP C
Reliability of the relying party is confirmed by the singed metadata.
19
front channel
SP
Browser
IdP
Attribute
Authority
Attribute
DB
SSO
Profile
https
https
AuthN
Engine
AuthN
DB
LDAP/AD
Session
Initiator DS
Assertion
Consumer
SAML POST
Username
Password
AuthN
Shibboleth Module
(mod_shib)
Form
Shibboleth
Daemon
(shibd)
Tomcat
Web
Resource
# .htaccess
AuthType shibboleth
ShibRequireSession
On
require valid-user
Apache
/ IIS
back channel
20
(port numbers: 443, 4443 or 8443. It depends on each SP)
Shibboleth IdP
Shibboleth SP
SAML
LDAP
handler.xml
login.config
attributefilter.xml
attributemap.xml
Web
App
attributeresolver.xml
attributepolicy.xml
httpd
relyingparty.xml
Trust
BackingFile
shibboleth2.
xml
BackingFile
repository
21
Env. Val.
http.conf
.htaccess
Access
Control
Attributes managed by an IdP
Name (abbreviation)
Description
OrganizationName (o)
English name of the organization
jaOrganizationName (jao)
Japanese name of the organization
OrganizationalUnit (ou)
English name of a unit in the organization
jaOrganizationalUnit (jaou)
Japanese name of a unit in the organization
eduPersonPrincipalName (eppn)
Uniquely identifies an entity in GakuNin
eduPersonTargetedID
A pseudonym of an entity in GakuNin
eduPersonAffiliation
Staff, Faculty, Student, Member
eduPersonScopedAffiliation
Staff, Faculty, Student, Member with scope
eduPersonEntitlement
Qualification to use a specific application
SurName (sn)
Surname in English
jaSurName (jasn)
Surname in Japanese
givenName
Given name in English
jaGivenName
Given name in Japanese
displayName
Displayed name in English
jaDisplayName
Displayed name in Japanese
mail
E-mail address
gakuninScopedPersonalUniqueCode
Student or faculty, staff number with scope
22
Released attributes are
different among SPs
SP-A (2 attr.s required)
eppn (mandatory)
eduPersonAffiliation (optional)
SP-B (1 attr. required)
eduPersonAffiliation (mandatory)
SP-C (2 attr.s required)
eduPersonTargetedID (mandatory)
eduPersonEntitlement
eduPersonScopedAffiliation
(one of them is mandatory)

Anonymous



Any identifier is not sent
Fit for e-Journals (a member (of a department) of the
organization can access)
Autonymous

eduPersonPrincipalName is sent



Unique identifier shared by all SPs (globally unique)
Similar to e-mail address
Pseudonymous

eduPersonTargetedID is sent [hash(ePPN, entityID of SP)]


23
Persistent unique identifier to each SP
To avoid correlation of user activities among SPs
Internet
“NAT” network to access the Internet
Host OS
Windows / Mac
browser


VM - CentOS
idp.examlpe.asia
VM - CentOS
sp.example.asia
sp2.example.asia
LDAP
copy
“Host-only” network to communicate each other
VirtualBox
No DS (Discovery Service) provided
Use /etc/hosts instead of DNS
24
VM - CentOS
Configure not to send out any attributes to all SPs.
Configure to send out only “eduPersonTargetedID”
and “eduPersonPrincipalName” to all SP.
Configure to send out only “eduPersonTargetedID”
for an SP.
Configure to send out “admin” as a value of
“eduPersonEntitlement” for a user.
1.
2.
3.
4.

Ref.: https://wiki.shibboleth.net/confluence/x/GoBC
Configure to filter values on
“eduPersonEntitlement” to send out only a specific
value for an SP.
5.

25
Ref.: https://wiki.shibboleth.net/confluence/x/84BC
1.
2.
3.
26
Configure to filter out all attributes received at
an SP.
Configure on an IdP to send out multiple
values on “eduPersonEntitlement”, then
configure on an SP to filter them except one
value
Configure on an IdP to send out a new
attribute named “trainingTestAttribute”, then
on an SP to receive it.
Confirm that password will not be required
when you access to a second SP (SSO)
Authorize who are “staff” with
“eduPersonAffiliation”
Authorize when “test” is included in
“eduPersonEntitlement”
LazySession feature
1.
2.
3.
4.

Ref.: https://wiki.shibboleth.net/confluence/x/bYFC
ForceAuthentication (forceAuthn) feature
5.

Ref.: https://wiki.shibboleth.net/confluence/x/SIBC
PassiveAuthentication (isPassive) feature
6.

27
Ref.: https://wiki.shibboleth.net/confluence/x/SIBC