Shibboleth SSO and Drupal Presented by Justin Ludwig (jludwig) at BADCAMP 2013 25 1st St., Suite 104, Cambridge, MA 02141 | www.BioRAFT.com Who is Justin Ludwig? • Jludwig on drupal.org • Tech Virtuoso • Software Engineer @ BioRAFT • Drupal for about 6 years, when D5 was new. • Resides in South Bay w/beautiful wife and adorable fur-baby. • Musical family: lovers of Early Music, weird music of today and everything in between. What is ? • “Preventing the next zombie apocalypse” • Entirely built using Drupal, SaaS model • Lab Safety, Compliance & Training Software • Comprehensive and efficient hazard tracking, compliance management, & training delivery • In use at top tier research institutions, and at top ten biotech & pharmaceutical companies Shibboleth: A Brief History • A shibboleth (/ˈʃɪbəlɛθ/[1] or /ˈʃɪbələθ/)[2] is a word, sound, or custom that a person unfamiliar with its significance may not pronounce or perform correctly relative to those who are familiar with it. It is used to identify foreigners or those who do not belong to a particular class or group of people. It also refers to features of language, and particularly to a word or phrase whose pronunciation identifies a speaker as belonging to a particular group. • Gilead then cut Ephraim off from the fords of the Jordan, and whenever Ephraimite fugitives said, 'Let me cross,' the men of Gilead would ask, 'Are you an Ephraimite?' If he said, 'No,' they then said, 'Very well, say "Shibboleth" ()שבלת.' If anyone said, "Sibboleth" ()סבלת, because he could not pronounce it, then they would seize him and kill him by the fords of the Jordan. Forty-two thousand Ephraimites fell on this occasion. —Judges 12:5–6, NJB • During World War II, some United States soldiers in the Pacific theater used the word lollapalooza as a shibboleth to challenge unidentified persons, on the premise that Japanese people often pronounce the letter L as R or confuse Rs with Ls; the word is also an American colloquialism that even a foreign person fairly well-versed in American English would probably mispronounce or be unfamiliar with. JK, Rowling A peek into the future • What is single signon? • What is Shibboleth? How does it work? • SAML? IdP? SP? WTF? • Leveraging Drupal & Shib_Auth.module • Resources What is Single Sign-On and WHY? • Single sign-on (SSO) allows a user to use a single username and password for multiple services. • Easier for the end user. • Easier integration for staff. • Better security (when used properly). • The biggest reason… Your Client Needs It! • • • • Higher Education, they use it. Government, they use it. Big corporations, they use it. Non-Profits, they should be using it. Your Client Needs It! Just a little Jargon… • Security Assertion Markup Language (SAML): Fast, secure, robust XML-based open-standard for SSO. • Identity Provider (IdP): Authentication service; provide the user data. • Service Provider (SP): Hosts the application that users wish to access. Why Shibboleth? • The most robust SAML implementation. • Tried and tested. • Easy to use. • Big community. • Open source. • Shib_Auth module. How Shibboleth Works 1. User accesses protected resource. How Shibboleth Works 2. The SP sends an authentication request to the IdP. How Shibboleth Works 3. User authenticates to the IdP – Format of the request determined by config. How Shibboleth Works 4. The IdP’s response is picked up at the ACS (Assertion Consumer Service) on the SP, which decodes it, does security checks, then creates a session for the user. Drupal then takes over. POST Binding and Artifact Binding • POST Binding: IdP returns POST that contains SAML Assertion to SP. No direct communication between IdP & SP. • Artifact Binding: 1. IdP saves SAML Assertion to session and redirects user to SP w/Artifact in query string. 2. SP requests SAML Assertion for Artifact from IdP 3. IdP returns Assertion w/matching Artifact. 4. SP validates assertion Install and Configure Shibboleth • Learn XML! • http://www.w3schools.com/xml/ • Other Prerequisites • • • • Root access to the machine. Network Time Protocol (NTP) Basic understanding of SSL Basic understanding of server configuration Install and Configure Shibboleth Follow an installation guide. ;) •https://wiki.shibboleth.net/co nfluence/display/SHIB2/Install ation • If not using an officially supported distro, check package management repo. • As always, Google is your friend. A Little Configuration Jargon… • EntityID: String used to identify your application across federation interactions. • Metadata: What makes SAML work. • Attributes: Info provided by the IdP. Configured in attribute-map.xml Federations: No, you don’t need to wear the jumpsuit • A group of IdPs and SPs that agree on a set of policies. • Not 100% necessary, but greatly simplifies integration w/other federation members, management decisions, etc. Config Files Overview • /etc/shibboleth: Base directory for Shib config • shibboleth2.xml: Most of the SP’s config opts. • attribute-map.xml: Used to translate attributes from SAML assertions. • Metadata: SP and IdP/Federaltion exchange metadata and this makes SAML work. • Usually generated to /Shibboleth.sso/Metadata. • A good base; invest in understanding contents. Leveraging Drupal Shibboleth authentication module •https://drupal.org/project/shib_auth •Big ‘Thank you’ to shafter, bajnokk, dorion, niff, and everyone else involved in the project. •14,955 downloads, thousands report using it. •4.x Branch for Drupal 6 and Drupal 7. – Backported to D5 if anyone needs it. What shib_auth gives you • Automatic user creation and user login. What shib_auth gives you • Automatic role assignment. What shib_auth gives you • Account linking What shib_auth gives you • Logout Handling Advanced Features in Shib_Auth • • • • • User-defined usernames/e-mails Auto-Login Pre-creating Users User Consent Forms forceAuthn Resources • https://wiki.shibboleth.net/confluence/dashb oard.action • https://drupal.org/project/shib_auth • https://www.testshib.org/index.html • http://saml.xml.org/saml-specifications • https://wiki.shibboleth.net/confluence/displa y/SHIB2/SecurityAdvisories • http://shibboleth.net/community/lists.html A look to the past • What is single signon? • What is Shibboleth? How does it work? • SAML? IdP? SP? WTF? • Leveraging Drupal & Shib_Auth.module • Resources Questions, comments, etc