Hosting a SAML-protected Web Site in Microsoft Azure Eric Kool-Brown Software Engineer University of Washington IT A SAML Protected Web Site SAML in Azure - Windows in Higher Ed 2 SAML in Azure - Windows in Higher Ed 3 SAML: what is it? Security Assertion Markup Language and much more • A token format (using this language) • A set of authentication protocols • A set of bindings for the transfer of the protocol elements • A set of OASIS specifications ratified in 2005 SAML in Azure - Windows in Higher Ed 4 Some Terminology • SAMLP – used to differentiate the protocol from the token format • Service Provider – a protected web site, a.k.a. Relying Party • IdP – identity provider, a.k.a. security token service • Shibboleth – the community-developed reference implementation of SAML SAML in Azure - Windows in Higher Ed 5 Campus Datacenter Credential Datastore Databases Web App Shib IdP Hosting a ShibbolethProtected Web Site Locally User Public Internet SAML in Azure - Windows in Higher Ed 6 Campus Datacenter Azure Credential Datastore Databases Web App Shib IdP Hosting a ShibbolethProtected Web Site In Azure User Public Internet SAML in Azure - Windows in Higher Ed 7 Public Internet Route to Public Internet Azure Azure DNS/ Load Balancer Campus Datacenter Azure Virtual Network Campus Subnet List Site-to-Site Protected Data Connection Azure VPN Gateway Hardware VPN Gateway Campus Servers Azure VMs Azure Networking SAML in Azure - Windows in Higher Ed 8 SAML in Azure - Windows in Higher Ed 9 Options, We’ve Got Options • Upload your Shibboleth SP VHD as an Azure VM – Could be either Linux or Windows • Host WIF web app in an Azure web site and use ADFS as a protocol translator • Use WIF and the SAMLP CTP extension • Host Shibboleth SP as an Azure cloud service SAML in Azure - Windows in Higher Ed 10 Azure Virtual Machine • Use an MS-supplied OS image or upload your own (Linux or Windows) – If the former, upload web app remotely – If the latter, can configure locally, then upload the entire VHD • VM bits stored in triple redundant Azure blob storage • Scaling up requires manual configuration SAML in Azure - Windows in Higher Ed 11 Azure VM Details • Windows OS licensing: monthly cost of using MS-supplied Windows image includes OS licensing fee • DNS needs to be configured in Azure; you supply a validated DNS name and Azure supplies the VIP for that name • Adding instances for scaling requires manual configuration • Ditto for monitoring SAML in Azure - Windows in Higher Ed 12 Azure Web Sites • Write web app in Visual Studio and deploy to Azure from VS • Use WIF to “claims enable” your web app via its support for WS-Federation – WIF does not support SAMLP • Use AD FS to translate from WSFederation to SAMLP • Azure handles scaling to add instances and configures load balancing SAML in Azure - Windows in Higher Ed 13 Add a Cloud Web App Project SAML in Azure - Windows in Higher Ed 14 Configure the Project SAML in Azure - Windows in Higher Ed 15 Configure WS-Fed SAML in Azure - Windows in Higher Ed 16 Sign-in to Azure SAML in Azure - Windows in Higher Ed 17 Publish to Azure SAML in Azure - Windows in Higher Ed 18 AD FS as a Protocol Translator SAML in Azure - Windows in Higher Ed 19 Azure Web Sites Redux • MS released a CTP extension to WIF 4.0 that supported SAMLP • May be NLA and is certainly not supported by MS • One UW web application in production using this CTP • WIF 4.5 re-architected, the CTP won’t work with it (and claims-based web apps need to be re-written) SAML in Azure - Windows in Higher Ed 20 Azure Cloud Service • Web roles and worker roles • Web role much more configurable than an Azure web site • Shibboleth SP can be automatically installed using a startup script • See my blog posts starting with http://blogs.uw.edu/kool/2013/06/20/hostin g-a-shibboleth-sp-web-site-in-azure-part-1/ SAML in Azure - Windows in Higher Ed 21 Create a Cloud Service Project SAML in Azure - Windows in Higher Ed 22 Add Roles to the Service SAML in Azure - Windows in Higher Ed 23 Choose the Type of Web App SAML in Azure - Windows in Higher Ed 24 Config and Definition Files SAML in Azure - Windows in Higher Ed 25 Shibboleth SP Install Task SAML in Azure - Windows in Higher Ed 26 Shib SP Files in Project SAML in Azure - Windows in Higher Ed 27 echo calling msiexec to run the Shib MSI >> %temp%\install-shib.txt 2>&1 msiexec.exe /i Shibboleth-SP\shibboleth-sp-2.5.1-win64.msi /quiet /L*v %temp%\shib-msi.txt /norestart echo calling xcopy to copy the config files >> %temp%\install-shib.txt 2>&1 xcopy /y /q Shibboleth-SP\*.xml c:\opt\shibboleth-sp\etc\shibboleth xcopy /y /q Shibboleth-SP\*.pem c:\opt\shibboleth-sp\etc\shibboleth xcopy /y /q "%systemdrive%\Program Files\Shibboleth\SP\lib\*.dll" c:\opt\shibboleth-sp\lib64\shibboleth echo calling appcmd to add the ISAPI handler >> %temp%\install-shib.txt 2>&1 %windir%\System32\inetsrv\appcmd.exe set config /section:handlers /+[name='ShibbolethSP',path='*.sso',verb='*',modules='IsapiModule',scriptProcessor='C:\opt\shibboleth-sp\ lib64\shibboleth\isapi_shib.dll',requireAccess='Script',responseBufferLimit='0'] echo calling appcmd to add the ISAPI filter >> %temp%\install-shib.txt 2>&1 %windir%\System32\inetsrv\appcmd set config /section:isapiFilters /+[name='Shibboleth',path='C:\opt\shibboleth-sp\ lib64\shibboleth\isapi_shib.dll',preCondition='bitness64'] echo calling appcmd to remove the ISAPI filter restriction >> %temp%\install-shib.txt 2>&1 %windir%\System32\inetsrv\appcmd set config /section:isapiCgiRestriction /+[path='C:\opt\shibboleth-sp\ lib64\shibboleth\isapi_shib.dll',description='ShibbolethWebServiceExtension',allowed='True'] echo calling icacls to grant User execute to the Shib folders so the ISAPI filter will load >> %temp%\install-shib.txt 2>&1 icacls c:\opt /grant "Users":(OI)(CI)(RX) echo calling icacls to grant NetworkService write to the Shib logging folder so the ISAPI filter can log >> %temp%\install-shib.txt 2>&1 icacls c:\opt\shibboleth-sp\var\log\shibboleth /grant "NetworkService":(OI)(CI)(RX,M) echo restarting the Shib service to pick up the config changes >> %temp%\install-shib.txt 2>&1 net stop shibd_Default net start shibd_Default SAML in Azure - Windows in Higher Ed 28 Publishing • Similar to publishing an Azure web app from Visual Studio • Takes longer to start due to time taken to install the Shib SP • The install script is re-run each time an instance is spun up SAML in Azure - Windows in Higher Ed 29 Questions? SAML in Azure - Windows in Higher Ed 30 Links • • • • • • • Series of 5 blog posts on hosting a Shib SP in Azure: http://blogs.uw.edu/kool/2013/06/20/hosting-a-shibboleth-sp-web-site-in-azurepart-1/ Test web site: https://uwshibsp.cloudapp.net/ Note that it is using a self-signed cert, so be prepared for browser warnings Azure Portal: https://manage.windowsazure.com/ Azure Site-to-Site VPN: http://msdn.microsoft.com/enus/library/azure/dn133798.aspx Azure VPN Walkthrough: http://jeffgraves.me/2012/10/26/windows-azure-vpnwalkthrough/ (from 2012) Azure Load Balancer: http://msdn.microsoft.com/enus/library/azure/dn655058.aspx (VMs can have multiple "endpoints") Example of confusion between SAML token format and SAML protocol: http://stackoverflow.com/questions/11342186/windows-identityfoundation-does-not-officially-support-saml-2-0-use-wif-ctp-or SAML in Azure - Windows in Higher Ed 31 The University of Washington is one of the world’s preeminent universities and a recognized leader in educating the next generation of leaders, thinkers and doers. A multi-campus institution comprising UW Seattle, UW Tacoma and UW Bothell, as well as a world-class academic medical center, the UW is a focal point of the Puget Sound region’s intellectual and cultural life and a key contributor to Washington’s increasingly global reputation as a center of innovation and change. A progressive and quintessentially Northwest institution with a uniquely innovative and creative culture, the UW is driven to lead by successfully integrating the full assets of the university and its rich environs to address key issues of pressing human concern that make a lasting difference in the Northwest and around the world. SAML in Azure - Windows in Higher Ed 32