Shibboleth SSO and Drupal

advertisement
Shibboleth SSO and Drupal
Presented by Justin Ludwig (jludwig) at BADCAMP 2013
25 1st St., Suite 104, Cambridge, MA 02141 | www.BioRAFT.com
Who is Justin Ludwig?
• Jludwig on drupal.org
• Tech Virtuoso
• Software Engineer @ BioRAFT
• Drupal for about 6 years, when D5 was new.
• Resides in South Bay w/beautiful wife and
adorable fur-baby.
• Musical family: lovers of Early Music, weird
music of today and everything in between.
What is
?
• “Preventing the next zombie apocalypse”
• Entirely built using Drupal, SaaS model
• Lab Safety, Compliance & Training Software
• Comprehensive and efficient hazard tracking,
compliance management, & training delivery
• In use at top tier research institutions, and at
top ten biotech & pharmaceutical companies
Shibboleth: A Brief History
•
A shibboleth (/ˈʃɪbəlɛθ/[1] or /ˈʃɪbələθ/)[2] is a word, sound, or
custom that a person unfamiliar with its significance may not
pronounce or perform correctly relative to those who are
familiar with it. It is used to identify foreigners or those who do
not belong to a particular class or group of people. It also refers
to features of language, and particularly to a word or phrase
whose pronunciation identifies a speaker as belonging to a
particular group.
•
Gilead then cut Ephraim off from the fords of the Jordan, and
whenever Ephraimite fugitives said, 'Let me cross,' the men of
Gilead would ask, 'Are you an Ephraimite?' If he said, 'No,' they
then said, 'Very well, say "Shibboleth" (‫)שבלת‬.' If anyone said,
"Sibboleth" (‫)סבלת‬, because he could not pronounce it, then
they would seize him and kill him by the fords of the Jordan.
Forty-two thousand Ephraimites fell on this occasion. —Judges
12:5–6, NJB
•
During World War II, some United States soldiers in the Pacific
theater used the word lollapalooza as a shibboleth to challenge
unidentified persons, on the premise that Japanese people
often pronounce the letter L as R or confuse Rs with Ls; the
word is also an American colloquialism that even a foreign
person fairly well-versed in American English would probably
mispronounce or be unfamiliar with.
JK, Rowling
A peek into the future
• What is single signon?
• What is Shibboleth?
How does it work?
• SAML? IdP? SP? WTF?
• Leveraging Drupal &
Shib_Auth.module
• Resources
What is Single Sign-On and WHY?
• Single sign-on (SSO) allows a user to use a
single username and password for multiple
services.
• Easier for the end user.
• Easier integration for staff.
• Better security (when used properly).
• The biggest reason…
Your Client Needs It!
•
•
•
•
Higher Education, they use it.
Government, they use it.
Big corporations, they use it.
Non-Profits, they should be using it.
Your Client Needs It!
Just a little Jargon…
• Security Assertion Markup
Language (SAML): Fast,
secure, robust XML-based
open-standard for SSO.
• Identity Provider (IdP):
Authentication service;
provide the user data.
• Service Provider (SP): Hosts the application
that users wish to access.
Why Shibboleth?
• The most robust SAML
implementation.
• Tried and tested.
• Easy to use.
• Big community.
• Open source.
• Shib_Auth module.
How Shibboleth Works
1. User accesses protected resource.
How Shibboleth Works
2. The SP sends an authentication request
to the IdP.
How Shibboleth Works
3. User authenticates to the IdP – Format
of the request determined by config.
How Shibboleth Works
4. The IdP’s response is picked up at the ACS (Assertion
Consumer Service) on the SP, which decodes it, does security
checks, then creates a session for the user. Drupal then takes
over.
POST Binding and Artifact Binding
• POST Binding: IdP returns POST that contains
SAML Assertion to SP. No direct
communication between IdP & SP.
• Artifact Binding:
1. IdP saves SAML Assertion to session and
redirects user to SP w/Artifact in query string.
2. SP requests SAML Assertion for Artifact from IdP
3. IdP returns Assertion w/matching Artifact.
4. SP validates assertion
Install and Configure Shibboleth
• Learn XML!
• http://www.w3schools.com/xml/
• Other Prerequisites
•
•
•
•
Root access to the machine.
Network Time Protocol (NTP)
Basic understanding of SSL
Basic understanding of server configuration
Install and Configure Shibboleth
Follow an installation guide. ;)
•https://wiki.shibboleth.net/co
nfluence/display/SHIB2/Install
ation
• If not using an officially supported distro,
check package management repo.
• As always, Google is your friend.
A Little Configuration Jargon…
• EntityID: String used to
identify your application
across federation
interactions.
• Metadata: What makes
SAML work.
• Attributes: Info provided by
the IdP. Configured in
attribute-map.xml
Federations: No, you don’t need to
wear the jumpsuit
• A group of IdPs and
SPs that agree on a
set of policies.
• Not 100% necessary,
but greatly simplifies
integration w/other federation members,
management decisions, etc.
Config Files Overview
• /etc/shibboleth: Base
directory for Shib config
• shibboleth2.xml: Most of the
SP’s config opts.
• attribute-map.xml: Used to
translate attributes from
SAML assertions.
• Metadata: SP and IdP/Federaltion exchange metadata and
this makes SAML work.
• Usually generated to /Shibboleth.sso/Metadata.
• A good base; invest in understanding contents.
Leveraging Drupal
Shibboleth authentication module
•https://drupal.org/project/shib_auth
•Big ‘Thank you’ to shafter, bajnokk,
dorion, niff, and everyone else involved
in the project.
•14,955 downloads, thousands report
using it.
•4.x Branch for Drupal 6 and Drupal 7.
– Backported to D5 if anyone needs it.
What shib_auth gives you
• Automatic user creation and user login.
What shib_auth gives you
• Automatic role assignment.
What shib_auth gives you
• Account linking
What shib_auth gives you
• Logout Handling
Advanced Features in Shib_Auth
•
•
•
•
•
User-defined usernames/e-mails
Auto-Login
Pre-creating Users
User Consent Forms
forceAuthn
Resources
• https://wiki.shibboleth.net/confluence/dashb
oard.action
• https://drupal.org/project/shib_auth
• https://www.testshib.org/index.html
• http://saml.xml.org/saml-specifications
• https://wiki.shibboleth.net/confluence/displa
y/SHIB2/SecurityAdvisories
• http://shibboleth.net/community/lists.html
A look to the past
• What is single signon?
• What is Shibboleth?
How does it work?
• SAML? IdP? SP? WTF?
• Leveraging Drupal &
Shib_Auth.module
• Resources
Questions, comments, etc
Download