Shibboleth
Service Provider
Workshop
Bart Ophelders - Philip Brusten
shib@kuleuven.be
June 2010
Shibboleth Service provider workshop
• This work is licensed under a Creative Commons
Attribution-ShareAlike 3.0 Unported License.
2
Acknowledgements
• What's new in Shibboleth 2 – Chad La Joie
• [SAMLConf]
http://docs.oasis-open.org/security/saml/v2.0/saml-conformance2.0-os.pdf
• Liberty interoperability testing:
http://projectliberty.org/liberty/liberty_interoperable/implementations
• Shibboleth 2.0 InstallFest Service Provider Material – Ann Arbor,
MI
• SP Hands-on Session – SWITCH
• https://spaces.internet2.edu/display/SHIB2
3
Program
•
•
•
•
•
•
•
•
Introduction: “What is Shibboleth?”
Shibboleth 2.x: “What has changed?”
Concept of Federation
Resource Registry
A word on ADFS
Installation
Bootstrapping SP
Configuration
4
Introduction: “What is Shibboleth?”
• Quote from http://shibboleth.internet2.edu:
The Shibboleth System is a standards based, open source
software package for web single sign-on across or within
organizational boundaries. It allows sites to make informed
authorization decisions for individual access of protected
online resources in a privacy-preserving manner.
5
Introduction: “What is Shibboleth?”
• Terminology
– Authentication: says who we are
– Authorization: says which resource we can access
– SP: Service Provider (Resource)
– IdP: Identity Provider (Home organisation)
– WAYF: Where Are You From
– DS: Discovery Service
6
Architecture Shibboleth v1.3
WAYF
Shibboleth
module
Identity Provider
HTTP redirect
HTTP interaction
x
User Agent/Browser
Webserver
Webserver
Identity Provider
Components:
Identity Provider (IdP) – Service Provider (SP) –
Where Are You From (WAYF) – User Agent (UA)
Shibboleth service
Service Provider
7
Architecture Shibboleth v1.3
WAYF
Shibboleth
module
Identity Provider
HTTP redirect
HTTP interaction
x
User Agent/Browser
Webserver
Webserver
Identity Provider
SAML1.1 profile: Browser/Artifact
Initial request from UA to document X
No active Shibboleth session, UA redirected to WAYF
Shibboleth service
Service Provider
8
Architecture Shibboleth v1.3
WAYF
Shibboleth
module
Identity Provider
HTTP redirect
HTTP interaction
x
User Agent/Browser
Webserver
Webserver
Identity Provider
Shibboleth service
Service Provider
WAYF asks UA to choose an IdP (if not already set in cookie)
Redirect UA to selected IdP
9
Architecture Shibboleth v1.3
WAYF
Shibboleth
module
Identity Provider
HTTP redirect
HTTP interaction
x
User Agent/Browser
Webserver
Webserver
Identity Provider
Shibboleth service
Service Provider
IdP prompts the UA for credentials (Username/Password, x509,
digipass, etc).
IdP uses backend to verify credentials (LDAP, ADDS, SQL, etc)
10
Architecture Shibboleth v1.3
WAYF
Shibboleth
module
Identity Provider
HTTP redirect
HTTP interaction
x
User Agent/Browser
Webserver
Webserver
Identity Provider
Shibboleth service
Service Provider
IdP resolves attributes for the authenticated principal and creates
SAML assertion (authentication & attribute statement)
Redirects UA with references to these assertions (Artifacts).
11
Architecture Shibboleth v1.3
WAYF
Shibboleth
module
Identity Provider
HTTP redirect
HTTP interaction
x
User Agent/Browser
Webserver
Webserver
Identity Provider
Shibboleth service
Service Provider
Shibboleth service or daemon dereferences the Artifacts on a
secure backchannel with SSL mutual authentication.
Invisible for the UA.
12
Architecture Shibboleth v1.3
WAYF
Shibboleth
module
Identity Provider
HTTP redirect
HTTP interaction
x
User Agent/Browser
Webserver
Webserver
Identity Provider
Shibboleth service
Service Provider
The Shibboleth service verifies and filters the information and
gives it to the Shibboleth module (via RPC or TCP).
The Shibboleth module or Webserver will authorise the principal.
13
Architecture Shibboleth v1.3
WAYF
Shibboleth
module
Identity Provider
HTTP redirect
HTTP interaction
x
User Agent/Browser
Webserver
Webserver
Identity Provider
Shibboleth service
Service Provider 2
The active sessions with every component will provide the single
sign-on experience.
14
Program
•
•
•
•
•
•
•
•
Introduction: “What is Shibboleth?”
Shibboleth 2.x: “What has changed?”
Concept of Federation
Resource Registry
A word on ADFS
Installation
Bootstrapping SP
Configuration
15
Shibboleth 2.x: “What has changed?”
• General
– SAML2 protocols
• Authentication Request Protocol (SP initiated)
– Force re-authentication
– Passive authentication
• Assertion Query and Request Protocol
• Artifact Resolution Protocol
• Single Logout Protocol (Not supported by the IdP yet)
• NameID Management Protocol
• NameID Mapping Protocol
– Encryption and signing of sensitive information
– Distributed configuration (pull)
• Federation Metadata
• Attribute-map
• Attribute-filter
16
Shibboleth 2.x: “What has changed?”
• Identity Provider
– Own authentication modules
•
•
•
•
•
•
•
•
•
LDAP
Kerberos
IP-based
PreviousSession (SSO)
REMOTE_USER (cfr. CAS)
– No SAML2 force authentication
Very flexible attribute resolving
Very flexible attribute filtering (with constraints)
Clean audit logs
etc
17
Shibboleth 2.x: “What has changed?”
• Discovery Service
– Successor of WAYF
– SAML2 Identity Provider Discovery Profile
– Multi-federation support
18
Shibboleth 2.x: “What has changed?”
• Service Provider
–
–
–
–
Multi-protocol support
New attribute filtering policy language
Support for ODBC based storage of state
Significant performance improvements
19
Architecture Shibboleth v2.x
DS
Shibboleth
module
Identity Provider
HTTP redirect
HTTP interaction
x
User Agent/Browser
Webserver
Shibboleth service
Webserver
Identity Provider
Service Provider
SAML2.0 profile: Web browser SSO + HTTP POST binding
Initial request from UA to document X
No active Shibboleth session, UA redirected to DS
20
Architecture Shibboleth v2.x
DS
SP takes back
control
Shibboleth
module
Identity Provider
HTTP redirect
HTTP interaction
x
User Agent/Browser
Webserver
Webserver
Identity Provider
Shibboleth service
Service Provider
DS asks UA to choose an IdP (if not already set in cookie)
Redirect UA back to SP with selected IdP as parameter.
21
Architecture Shibboleth v2.x
DS
Shibboleth
module
Identity Provider
HTTP redirect
HTTP interaction
x
User Agent/Browser
Webserver
Webserver
Identity Provider
Shibboleth service
Service Provider
SP sends SAML Authentication request to the IdP.
IdP prompts the UA for credentials, if necessary.
IdP uses backend to verify credentials (LDAP, ADDS, SQL, etc)
22
Architecture Shibboleth v2.x
DS
Shibboleth
module
Identity Provider
HTTP redirect
HTTP interaction
x
User Agent/Browser
Webserver
Webserver
Identity Provider
SAML response
• Authentication statement
• Attribute statement
Shibboleth service
Service Provider
The IdP resolves and filters the principal’s attribute information and
constructs a SAML assertion. This assertion can optionally be
signed and/or encrypted. Next, the IdP POSTs a response to the SP.
23
Architecture Shibboleth v2.x
DS
Shibboleth
module
Identity Provider
HTTP redirect
HTTP interaction
x
User Agent/Browser
Webserver
No callback!
Webserver
Identity Provider
Shibboleth service
Service Provider
The Shibboleth service decrypts, verifies and filters the response
and gives it to the Shibboleth module (via RPC or TCP).
The Shibboleth module or Webserver will authorise the principal.
24
Architecture Shibboleth v2.x
DS
Shibboleth
module
Identity Provider
HTTP redirect
HTTP interaction
x
User Agent/Browser
Webserver
Webserver
Identity Provider
Shibboleth service
Service Provider 2
Again, the active sessions with every component will provide the
single sign-on experience.
25
Program
•
•
•
•
•
•
•
•
Introduction: “What is Shibboleth?”
Shibboleth 2.x: “What has changed?”
Concept of Federation
Resource Registry
A word on ADFS
Installation
Bootstrapping SP
Configuration
26
Concept of Federation
• Group of entities, both IdPs and SPs.
• Can map on existing Associations (e.g.: BELNET,
Associatie K.U.Leuven, K.U.Leuven, etc)
Toledo
App X
K.U.Leuven
W&K
App Y
…
K.U.Leuven
App Z
App Z
Federation K.U.Leuven
…
Federation Associatie K.U.Leuven
27
Concept of Federation
• Benefits
– Scalable
– Simplifies things
– WAYF service (IdP discovery)
• Metadata
– Describes entities (protocol support, contact information, etc)
– PKI management
– Trust
• Since Shibboleth v2.x = single point of trust
– Digitally signed
– http://shib.kuleuven.be/download/metadata
28
Program
•
•
•
•
•
•
•
•
Introduction: “What is Shibboleth?”
Shibboleth 2.x: “What has changed?”
Concept of Federation
Resource Registry
A word on ADFS
Installation
Bootstrapping SP
Configuration
29
Resource Registry
• Metadata management tool
– Based on open source from SWITCH and modified by INTIENT
and K.U.Leuven
•
•
•
•
Adapted for K.U.Leuven
Multi-federation support
Identity Provider 1-many link
Service Provider 1-many link
30
Resource Registry
31
Resource Registry
• For now only internal use
• In a later stage available for:
– Resource Registry Administrators
• To approve resources from a certain IdP
– Resource Administrators
• For administering SP information (self-service)
– Home Organisation Administrators
• For administering IdP information (self-service)
– Federation Administrators
• Signing metadata file
• Roles can be assigned independently
32
Resource Registry
• Currently hosting:
–
–
–
–
Federation K.U.Leuven
Federation Associatie K.U.Leuven
Federation K.U.Leuven – UZLeuven
Test federation K.U.Leuven
33
Program
•
•
•
•
•
•
•
•
Introduction: “What is Shibboleth?”
Shibboleth 2.x: “What has changed?”
Concept of Federation
Resource Registry
A word on ADFS
Installation
Bootstrapping SP
Configuration
34
A word on ADFS
• Active Directory Federation Services v1
– Part of Microsoft Windows Server 2003 R2
– WS-Federation Passive Requester Profile (WS-F PRP)
– Shibboleth v1.3 has implemented
“WS-Federation: Passive Requestor Interoperability Profile”
specification for both IdP & SP
– Two ways of working
• NT-Token based
• Claim based
35
A word on ADFS
• E.g. Implementation at K.U.Leuven
Identity Provider
ADFS Web Agents
Account partners
TRUST
TRUST
OWA
K.U.Leuven
Resources
- OWA
- EVault
- Sharepoint
- etc
TRUST
EVault
TRUST
Sharepoint
Webserver
IdP K.U.Leuven
FS
36
A word on ADFS
37
A word on AD FS 2.0
•
•
•
•
•
•
•
Version 2.0
Officially released on 5 May 2010
Windows Server 2008 and Windows Server 2008 R2
Only claims based
Compatible with ADFS v1.0
Liberty Interoperable Implementation Tables
SAML2.0 operational modes:
– IdP lite
– SP lite
38
A word on AD FS 2.0
39
A word on AD FS 2.0
40
A word on AD FS 2.0
5) Use claims
in token
Identity Providers
Windows
Live ID
Other
STS
STS
Application
WIF
4) Submit
token
Token
3) Authenticate user
and get token for
selected identity
Internet
Browser or Client
CardSpace 2.0
2) Select an identity
that matches those
requirements
User
Token
1) Access
application and
learn token
requirements
41
Shamelessly copied from David Chappell’s presentation at TechEd 2009
Program
•
•
•
•
•
•
•
•
Introduction: “What is Shibboleth?”
Shibboleth 2.x: “What has changed?”
Concept of Federation
Resource Registry
A word on ADFS
Installation
Bootstrapping SP
Configuration
42
Environment
• RedHat Enterprise Linux 5.5 (Tikanga)
• Debian 5.0 (Lenny)
• Windows Server 2008 R2
• Username: “shib” / “root”
• Passwords: “P@ssw0rd”
• Remote Access
– Linux: ssh
– Windows: Remote desktop
43
Environment
• RedHat Enterprise Linux 5.5 (Tikanga)
– 8 virtual machines
– DNS: worksh-rh-N.cc.kuleuven.be
– IP: 10.2.4.N
• Debian 5.0 (Lenny)
– 4 virtual machines
– DNS: worksh-db-N.cc.kuleuven.be
– IP: 10.2.4.2N
• Windows Server 2008 R2
– 10 virtual machines
– DNS: worksh-w8-N.cc.kuleuven.be
– IP: 10.2.4.4N + 10.2.4.50
44
Environment
• Shibboleth IdP
– DNS: worksh-idp.cc.kuleuven.be
– IP: 10.2.4.9
– https://worksh-idp.cc.kuleuven.be/idp/status
(only accessible through VMs: 10.2.4.0/24)
45
Environment
• Shibboleth standard base
http://shib.kuleuven.be/ssb_sp.shtml
•
$WORKSH_HOST = worksh-[rh|db|w8]-N.cc.kuleuven.be
46
Environment
• Key/Certificate generation - We’ve done it for you 
– Webserver
• Located at $PKI
• Signed by TerenaSSL CA
– Shibboleth SP
• Self-signed
• worksh-idp.cc.kuleuven.be:
/home/shib/ShibbolethSPWorkshop/certificates/shibboleth-sp
• Certificate: sp-[rh|db|w8]-N-cert.pem
• Key: sp-[rh|db|w8]-N-key.pem
• Save at $PKI
• Test certificates
openssl x509 –in $cert –issuer –noout
47
SSL certificates
• Use of self-signed certificates in backend
–
–
–
–
–
No need for commercial certificates
Longer lifetime
No truststore to maintain for commercial CAs
Revocation (just remove certificate)
Trustbase of commercial signed certificates can become quite
large
– Separate certificate for front- and backend
48
Environment
• Tools
– An absolute must: Syntax friendly editor
• RHEL: vim
• Debian: vim
$ apt-get install vim
• Windows: notepad++ or SciTE
– HTTP client
• RHEL: links
• Debian: links
• Windows: local browser
– SCP or WinSCP
• Check your time now!
• Always work case sensitive!
49
Installation - Overview
Shibboleth
service
RPC port 1600
Unix socket
...
mod_ssl
ISAPI filter Shibboleth
Shibboleth handler
/Shibboleth.sso
mod_shib
Shibboleth handler
/Shibboleth.sso
Apache
mod_auth
IIS
50
RHEL webserver
$ yum install httpd mod_ssl php
–
–
–
–
DocumentRoot: /var/www/html ($DOCROOT)
Configuration: /etc/httpd
Logs: /var/log/httpd ($WEB_LOG)
ServerName
$ vim /etc/httpd/conf/httpd.conf
Line 265:
ServerName $WORKSH_HOST
– Start/Stop service
$ service httpd start
$ service httpd status
httpd (pid ####) is running…
51
RHEL webserver
• Prepare test application
$ mkdir /var/www/html/secure
$ vim /var/www/html/secure/index.php
<?php
header('Location: https://'.$_SERVER['SERVER_NAME'].'/Shibboleth.sso/Session');
?>
52
RHEL webserver - SSL
$ vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/$WORKSH_HOST.pem
SSLCertificateKeyFile /etc/pki/$WORKSH_HOST.key
SSLCertificateChainFile /etc/pki/terenasslchain.crt
$ service httpd configtest
$ service httpd restart
$ openssl s_client –connect localhost:443
53
Debian webserver
$ apt-get install libapache2-mod-php5
–
–
–
–
DocumentRoot: /var/www ($DOCROOT)
Configuration: /etc/apache2
Logs: /var/log/apache2 ($WEB_LOG)
ServerName
$ vim /etc/apache2/sites-available/default
$ vim /etc/apache2/sites-available/default-ssl
Line 2, add:
ServerName $WORKSH_HOST
– Start/Stop service
$ apache2ctl start
$ apache2ctl status
54
Debian webserver
• Prepare test application
$ mkdir /var/www/secure
$ vim /var/www/secure/index.php
<?php
header('Location: https://'.$_SERVER['SERVER_NAME'].'/Shibboleth.sso/Session');
?>
55
Debian webserver - SSL
$ a2enmod ssl
$ vim /etc/apache2/sites-available/default-ssl
SSLCertificateFile /etc/pki/$WORKSH_HOST.pem
SSLCertificateKeyFile /etc/pki/$WORKSH_HOST.key
SSLCertificateChainFile /etc/pki/terenasslchain.crt
$
$
$
$
a2ensite default-ssl
apache2ctl configtest
/etc/init.d/apache2 restart
openssl s_client –connect localhost:443
56
Windows Server 2008 - Apache
– Download: http://httpd.apache.org :
Win32 Binary including OpenSSL 0.9.8m (MSI Installer)
– DocumentRoot: c:\htdocs ($DOCROOT)
– Configuration: c:\Apache2.2
– Logs: c:\Apache2.2\logs ($WEB_LOG)
– ServerName
C:\Apache2.2\conf\httpd.conf
Line 171:
ServerName $WORKSH_HOST
– Start/Stop service using the Apache monitor in the tray
57
Windows Server 2008 - Apache
• Prepare test application
$ mkdir C:\htdocs\secure
• Create index.html file
<html>
<head>
<title>redirect</title>
<meta http-equiv="REFRESH"
content="0;url=/Shibboleth.sso/Session">
</head>
</html>
58
Windows Server 2008 – Apache - SSL
c:\Apache2.2\conf\httpd.conf
LoadModule ssl_module modules/mod_ssl.so
[..]
Include conf/extra/httpd-ssl.conf
#Include c:/opt/shibboleth-sp/etc/shibboleth/apache22.config
c:\Apache2.2\conf\extra\httpd-ssl.conf
SSLCertificateFile c:/pki/$WORKSH_HOST.pem
SSLCertificateKeyFile c:/pki/$WORKSH_HOST.key
SSLCertificateChainFile c:/pki/terenasslchain.crt
• Restart Apache2.2 via the tray
$ openssl s_client –connect localhost:443
59
Windows Server 2008 - IIS
• IIS
– Server Manager:
Add Web Server (IIS) Role with
•
•
•
•
•
•
•
ASP.NET
ASP
IIS 6 Management compatibility
ISAPI filter
ISAPI extensions
IIS Management console
IIS Management Scripts and Tools (Powershell)
– Documents: c:\inetpub\wwwroot\ ($DOCROOT)
$ net start w3svc
60
Windows Server 2008 - IIS
• Prepare test application
$ mkdir C:\inetpub\wwwroot\secure
• Create Default.asp file
<%
Response.Redirect "/Shibboleth.sso/Session"
%>
61
Windows Server 2008 – IIS - SSL
• Import certificate
$ certutil
–p changeit
–importpfx c:\pki\$WORKSH_HOST.p12
$ Get-ChildItem cert:\LocalMachine\My
• Or use MMC Certificate snap-in
62
Windows Server 2008 – IIS - SSL
• Configure IIS
Right click website
 Edit bindings
63
Windows Server 2008 – IIS - SSL
• Add..
• Select SSL certificate
• Result
64
Shibboleth SP installation
$ cd /etc/yum.repos.d
$ wget
http://download.opensuse.org/repositories/security://shibbole
th/RHEL_5/security:shibboleth.repo
$ yum install shibboleth[.x86_64]
(Accept GPG key 0x7D0A1B3D)
• Certificates
$ cp $PKI/sp-rh-N-cert.pem $SHIB_CONF/sp-cert.pem
$ cp $PKI/sp-rh-N-key.pem $SHIB_CONF/sp-key.pem
$ service shibd start
• Done by RPM after installation
/etc/httpd/conf.d/shib.conf
/etc/rc.d/init.d/shibd
65
Shibboleth SP installation
$ cd /etc/apt/sources.list.d/
$ vim lenny-backports.list
deb http://www.backports.org/debian lenny-backports main
contrib non-free
$ apt-get update
$ apt-get install debian-backports-keyring
$ apt-get update
$ apt-get -t lenny-backports install libapache2-mod-shib2
$ cp $PKI/sp-db-N-cert.pem $SHIB_CONF/sp-cert.pem
$ cp $PKI/sp-db-N-key.pem $SHIB_CONF/sp-key.pem
$ chown _shibd $SHIB_CONF/sp-key.pem
66
Shibboleth SP installation
• Configuration files provided by deb packages
/etc/apache2/mods-available/shib2.load
/etc/init.d/shibd
• Create/etc/apache2/mods-available/shib2.conf
<Location /secure>
AuthType shibboleth
require shibboleth
</Location>
$ a2enmod shib2
$ /etc/init.d/shibd restart
$ /etc/init.d/apache2 restart
67
Shibboleth SP installation
• Download MSI packet from
http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/
• Run shibboleth-sp-2.3.1-win32.msi
68
Shibboleth SP installation
69
Shibboleth SP installation
70
Shibboleth SP installation
71
Shibboleth SP installation
72
Shibboleth SP installation
73
Shibboleth SP installation
74
Shibboleth SP installation
• After installation it is better to restart the OS
• Copy the self-signed keypair
$ copy $PKI/sp-w8-N-cert.pem $SHIB_CONF/sp-cert.pem
$ copy $PKI/sp-w8-N-key.pem $SHIB_CONF/sp-key.pem
• Restart Shibboleth service
75
Sanity checks
• Shibboleth ISAPI filter must be the first in the ‘ordered
list’
76
Sanity checks
• Access Shibboleth handler from your browser
https://$WORKSH_HOST/Shibboleth.sso
• Access session handler from your browser
https://$WORKSH_HOST/Shibboleth.sso/Session
A valid session was not found.
• See how a Shibboleth error looks like
https://$WORKSH_HOST/Shibboleth.sso/Foo
77
Program
•
•
•
•
•
•
•
•
Introduction: “What is Shibboleth?”
Shibboleth 2.x: “What has changed?”
Concept of Federation
Resource Registry
A word on ADFS
Installation
Bootstrapping SP
Configuration
78
Bootstrapping the SP
Goals:
1. Working SP against a single IdP
2. Enable debugging of session attributes
3. Avoid clock complaints
79
Bootstrapping the SP
• Choose your entityID
https://$WORKSH_HOST
• Should be:
–
–
–
–
Unique
Locally scoped
Logical representative
Unchanging
• Seen on the wire, configuration files, metadata, log files,
etc
80
Bootstrapping the SP
• Relax some requirements, set your entityID and default
IdP entityID
$SHIB_CONF/shibboleth2.xml
logger="syslog.logger" clockSkew="1800000">
<Host name=“$WORKSH_HOST“ redirectToSSL="443">
<ApplicationDefaults id="default" policyId="default"
entityID="https://$WORKSH_HOST”
<SessionInitiator type="Chaining" Location="/Login"
isDefault="true" id="Intranet" relayState="cookie"
entityID=“https://worksh-idp.cc.kuleuven.be"
<Handler type="Session" Location="/Session"
showAttributeValues="true"/>
81
Bootstrapping the SP
• Provide metadata remotely from test IdP
$SHIB_CONF/shibboleth2.xml
<MetadataProvider type="Chaining">
<MetadataProvider type="XML"
uri="https://worksh-idp.cc.kuleuven.be/idp-metadata.xml"
backingFilePath="idp-metadata.xml" reloadInterval="3600"/>
• Backup at $SHIB_RUN
Uncomment whole <MetadataProvider>
Comment <MetadataFilter>
•
Normally: Provide your SP’s metadata to IdP
But, already done for you :-)
–
Metadata self-generated by your Service Provider
https://$WORKSH_HOST/Shibboleth.sso/Metadata
82
Bootstrapping the SP
• For IIS:
• Get site id (Run powershell as Administrator)
$ Import-Module WebAdministration
$ dir IIS:\Sites
• Set correct site ID and name
<InProcess logger="native.logger">
<ISAPI normalizeRequest="true" safeHeaderNames="true">
<Site id="1" name=“$WORKSH_HOST"/>
83
Bootstrapping the SP – Quick test
• Make sure configuration works
$ shibd –tc $SHIB_CONF/shibboleth2.xml
WIN$ shibd –check $SHIB_CONF/shibboleth2.xml
Service Provider reloads shibboleth2.xml automatically when it changes
• Try it with a browser
https://$WORKSH_HOST/secure/
/secure/ is protected by shibboleth2.xml (<RequestMap>)
Login with shibN / P@ssw0rd
• Get session information
https://$WORKSH_HOST/Shibboleth.sso/Session
(you should see various attributes)
85
Bootstrapping SP - Logout
• Local logout
https://$WORKSH_HOST/Shibboleth.sso/Logout
This won’t delete your session on the IdP!
• Close the browser in order to remove ALL your session
cookies
• Or delete session cookies using the browser or an
extension, e.g.: Firefox Web Developer extension
86
Bootstrapping SP – Discovery Service
• Change the default SessionInitiator
$SHIB_CONF/shibboleth2.xml
<SessionInitiator type="Chaining" Location="/Login"
isDefault="false" id="Intranet" relayState="cookie"
<SessionInitiator type="Chaining" Location="/DS" id="DS"
relayState="cookie" isDefault="true">
[…]
<SessionInitiator type="SAMLDS"
URL="https://wayf.associatie.kuleuven.be/shibbolethwayf/WAYF"/>
</SessionInitiator>
• Try again https://$WORKSH_HOST/secure/
87
Program
•
•
•
•
•
•
•
•
Introduction: “What is Shibboleth?”
Shibboleth 2.x: “What has changed?”
Concept of Federation
Resource Registry
A word on ADFS
Installation
Bootstrapping SP
Configuration
88
Configuration
•
•
•
•
•
•
•
Basic configuration
Attribute handling
Session Initiation
Access control
Adding a separate application
Service provider handlers
Session Initiators/Discovery
89
Basic configuration
Goals:
1. Understand purpose and structure of SP configuration files
2. Increase log level to DEBUG
3. Configure metadata and add signature verification
90
Important directories
• $SHIB_CONF
– Master and supporting configuration files
– Locally maintained metadata files
– HTML templates (customize them to adapt look&feel to your
application)
– Logging configuration files (*.logger)
– Credentials (certificates and private keys)
• $SHIB_RUN
– UNIX socket
– Remotely fetched files (metadata, attribute-map)
• $SHIB_LOG
– shibd.log & transaction.log
• $WEB_LOG (written by Shibboleth module/ISAPI filter)
– native.log
91
Configuration files in $SHIB_CONF
•
•
•
•
•
•
•
•
shibboleth2.xml – main configuration file
apache*.config – Apache module loading
attribute-map.xml – attribute handling
attribute-policy.xml – attribute filtering settings
*.logger – logging configuration
*Error.html – HTML templates for error messages
localLogout.html – SP-only logout template
globalLogout.html – single logout template
Recommendation:
Adapting *.html files to match the look & feel of the protected
application improves user experience.
92
shibboleth2.xml structure
Outer elements of the shibboleth2.xml configuration file
<OutOfProcess> / <InProcess>
<UnixListener> / <TCPListener>
<StorageService>
<SessionCache>
<ReplayCache>
<ArtifactMap>
<RequestMapper>
Needed for session initiation and access control
<ApplicationDefaults>
Contains the most important settings of your SP
<SecurityPolicies>
93
ApplicationDefaults structure
You are most likely to change something in here:
• <ApplicationDefaults>
–
–
–
–
–
–
–
–
–
–
<Sessions> Defines handlers and how sessions are initiated and managed
<Errors> Used to display error messages. Provide here logo, e-mail and CSS
<RelyingParty> (*) To modify settings for certain IdPs/federations
<MetadataProvider> Defines the metadata to be used by the SP
<TrustEngine> Which mechanisms to use for signatures validation
<AttributeExtractor> Attribute map file to use
<AttributeResolver> Attribute resolver file to use
<AttributeFilter> Attribute filter file to use
<CredentialResolver> Defines certificate and private key to be use
<ApplicationOverride> (*) Can override any of the above for certain
applications
94
Logging
• First thing to do in case of problems
• shibd.log and transaction.log written by shibd,
native.log written by Shibboleth module/filter
• *.logger files contain predefined settings for output
location and default logging level (INFO) along with
useful categories to raise to DEBUG
• Log time is in UTC (~GMT)
95
Logging
• Raise categories
$ vim $SHIB_CONF/shibd.logger
log4j.rootCategory=DEBUG, shibd_log
• To implement *.logger changed:
$ touch shibboleth2.xml
$ tail –f /var/log/shibboleth/shibd.log
• Try again https://$WORKSH_HOST/secure/
96
Metadata features
• Metadata describes the other components (IdPs) that
the Service Provider can communicate with
• Four primary methods built-in:
–
–
–
–
Local file (you manage it)
Remote file (periodic refresh, local backup)
Dynamic resolution of entityID (=URL)
"Null" source that disables security (“OpenID” model)
• Security comes from metadata filtering, either by you or
the SP:
– Signature verification
– White and blacklists
97
Signature verification
• The Test IdPs metadata is signed. Until now, it was
loaded without checking, which is not secure and not
recommended!
• First, increase security:
$SHIB_CONF/shibboleth2.xml
Uncomment MetadataFilter for signature verification:
<MetadataProvider type="XML” […]
uri=“https://worksh-idp.cc.kuleuven.be/idp-metadata.xml”>
<MetadataFilter type="Signature“ certificate="sp-cert.pem"/>
</MetadataProvider>
98
Signature verification
• Run
$ shibd
–tc $SHIB_CONF/shibboleth2.xml
•
WIN$ shibd –check $SHIB_CONF\shibboleth2.xml
… and in the output you will see:
WARN OpenSAML.MetadataFilter.Signature [3]: filtering out
group at root of instance after failed signature check:
ERROR OpenSAML.Metadata.Chaining [3]: failure initializing
MetadataProvider: SignatureMetadataFilter unable to
verify signature at root of metadata instance.
• Metadata could not be loaded because it was signed
with a different key (we “broke” the setup). So, let’s get
the right key…
99
Signature verification
• Get certificate from IdP:
$ cd $SHIB_CONF
$ wget https://worksh-idp.cc.kuleuven.be/workshidp.cc.kuleuven.be.pem
• Then fix it:
$SHIB_CONF/shibboleth2.xml
<MetadataProvider type="XML” […] >
<MetadataFilter type="Signature“
certificate=“worksh-idp.cc.kuleuven.be.pem"/>
</MetadataProvider>
• Run again
$ shibd –tc $SHIB_CONF/shibboleth2.xml
WIN$ shibd –check $SHIB_CONF\shibboleth2.xml
100
Configuration
•
•
•
•
•
•
•
Basic configuration
Attribute handling
Session Initiation
Access control
Adding a separate application
Service provider handlers
Session Initiators/Discovery
101
Attribute handling
Goals:
1. Understand how attributes are transported
2. Learn how attributes are mapped and filtered
3. See how attributes can be used as identifiers
4. Add an attribute mapping and filtering rule
102
SP attribute terminology
• Push
Delivering attributes with SSO assertion via web browser
• Pull
Querying for attributes after SSO via back-channel (SP -> IdP)
• Extraction
Decoding SAML information into neutral data structures mapped to
environment or header variables
• Filtering
Blocking invalid, unexpected, or unauthorized values based on
application or community criteria
• Resolution
Resolving a SSO assertion into a set of additional attributes (e.g.
queries)
103
Scoped attributes
• Common term for attributes that consist of a relation between a
value and a scope, usually an organizational domain name
E.g. affiliation = “student@kuleuven.be”
• Makes values globally usable or unique
• Lots of special treatment in Shibboleth to make them more useful
and "safe"
• Alternatively, split value and scope into separate attributes:
affiliation=“student” and homeOrganization=“kuleuven.be”
104
Attribute mappings
• SAML attributes from any source are "extracted" using
the configuration rules in
/etc/shibboleth/attribute-map.xml
• Each element is a rule for decoding a SAML attribute
and assigning it a local id which becomes its mapped
variable name
• Attributes can have one or more id and multiple
attributes can be mapped to the same id
• The id can also be used as header name in the
webserver for this attribute
105
Dissecting an Advanced Attribute Rule
<Attribute id="affiliation" aliases="aff affil"
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"
caseSensitive="false"/>
</Attribute>
• id
The primary "id" to map into, also used in web server environment
• aliases
Optional alternate names to map into
• name
SAML attribute name or NameID format to map from
• AttributeDecoder xsi:type
Decoder plugin to use (defaults to simple/string)
• caseSensitive
How to compare values at runtime (defaults to true)
106
https://spaces.internet2.edu/display/SHIB2/NativeSPAttributeExtractor
Adding attribute mappings
• Add first and lastname SAML 2 attribute mappings:
$SHIB_CONF/attribute-map.xml
<Attribute
name="urn:oid:2.5.4.4" id="sn” aliases=“surname”/>
<Attribute
name="urn:oid:2.5.4.42" id="givenName"/>
• After saving, changes take effect immediately but NOT
for any existing sessions
• Therefore, restart your browser (or delete your session
cookies) and continue on next slide …
107
K.U.Leuven attribute mappings
• Attribute-map made compatible with 1.3 naming
conventions
$SHIB_CONF/shibboleth2.xml
<!–
<AttributeExtractor type="XML" validate="true" path="attributemap.xml"/>
-->
<AttributeExtractor type="XML"
uri="https://shib.kuleuven.be/download/sp/2.x/attribute-map.xml"
backingFilePath="attribute-map.xml" reloadInterval="7200"/>
108
Common identifiers
• Local userid/netid/uid (“intranet userid”), e.g. “u1234567”
Usually readable, persistent but not permanent, often reassigned,
not unique
• email address, e.g. Foo.bar@kuleuven.be
Usually readable, persistent but not permanent, often reassigned,
unique
• eduPersonPrincipalName, e.g. u1234567@kuleuven.be
Usually readable, persistent but not permanent, can be reassigned,
unique
• eduPersonTargetedID / SAML 2.0 persistent ID
Not readable, semi-permanent, not reassigned, unique
109
Common identifiers
Legacy attribute placeholder for the SAML 2.0
persistent NameID format:
– opaque
– pairwise (IdP/SP)
– original motivation was privacy, but strongest features are lack
of reassignment and immunity to name changes
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://worksh-idp.cc.kuleuven.be"
SPNameQualifier="https://worksh-rh-1.cc.kuleuven.be">
stringupto256chars
</saml:NameID>
In web server environment, persistentId=
https://worksh-idp.cc.kuleuven.be!
https://worksh-rh-1.cc.kuleuven.be!stringupto256chars
110
REMOTE_USER
• Special single-valued variable that all web applications
should support for container-managed authentication of
a unique user.
• Any attribute, once extracted/mapped, can be copied to
REMOTE_USER
• Multiple attributes can be examined in order of
preference, but only the first value will be used.
• IIS doesn’t support to set the REMOTE_USER
•
https://spaces.internet2.edu/display/SHIB2/NativeSPAttributeAccess
111
Changing REMOTE_USER
• In case your application needs to have a remote user for
authentication, you just could make Shibboleth put an attribute (e.g.
”sn”) as REMOTE_USER:
$SHIB_CONF/shibboleth2.xml
• REMOTE_USER=”sn eppn persistent-id targeted-id"
• If sn attribute is available, it will be put into REMOTE_USER
• Attribute sn has precedence over eppn in this case
• This allows very easy “shibbolization” of some web applications
112
Attribute filtering
• Answers the "who can say what" question on behalf of an
application
• Service Provider can make sure that only allowed attributes and
values are made available to application
• Some examples:
– constraining the possible values or value ranges of an attribute
(e.g. eduPersonAffiliation, telephoneNumber, ....)
– limiting the scopes/domains an IdP can speak for
(e.g. university x cannot assert faculty@university-z.edu)
– limiting custom attributes to particular sources
113
Default filter policy
• As default, attributes are filtered out unless there is a rule!
• Shared rule for legal affiliation values
• Shared rule for scoped attributes
• Generic policy applying those rules and letting all other attributes
through.
• Check $SHIB_LOG/shibd.log for signs of filtering in case of
problems with attributes not being available.
You would find something like “no rule found, removing all
values of attribute (#attribute name#)“
114
https://spaces.internet2.edu/display/SHIB2/AFPAttributeFilterPolicy
Configuration
•
•
•
•
•
•
•
Basic configuration
Attribute handling
Session Initiation
Access control
Adding a separate application
Service provider handlers
Session Initiators/Discovery
115
Session initiation
Goals:
1. Learn how to initiate a Shibboleth session
2. Understand their advantages and disadvantages
3. Know where to require a session, what to protect
116
Content protection and session initiation
• Before access control (will be covered later on) can occur,
a Shibboleth session must be initiated
• Session initiation and content protection go hand in hand
• Requiring a session means the user has to authenticate
• Only authenticated users can access protected content
117
Content protection settings
Protect hosts, directories, files or queries
•
Apache
.htaccess (dynamic) or httpd.conf (static)
•
Apache / IIS / other
RequestMap
Requires Shibboleth to know exact hostname
Very powerful and flexible thanks to boolean/regex operations
•
Try accessing https://$WORKSH_HOST/
You should get access because the directory is not protected
118
https://spaces.internet2.edu/display/SHIB2/NativeSPAccessControl
Content protection with .htaccess
•
Prepare webserver (<Directory name=“$DOCROOT”>)
AllowOverride AuthConfig
•
Let’s protect the directory by requiring a Shibboleth
session:
$ mkdir $DOCROOT/secure2
$ vim $DOCROOT/secure2/.htaccess
AuthType shibboleth
require shibboleth
ShibRequestSetting requireSession 1
Synonym for the last line (used in Shibboleth 1.3):
ShibRequireSession On
119
https://spaces.internet2.edu/display/SHIB2/NativeSPAccessControl
Test content protection rule
•
Clear session and then access
https://$WORKSH_HOST/secure2
•
Authentication is enforced and access should be
granted
•
By now, all authenticated users get access
•
Content protection with authorization will be covered
later
120
Content protection with RequestMap
$ vim $DOCROOT/secure2/.htaccess
AuthType shibboleth
require shibboleth
$SHIB_CONF/shibboleth2.xml
<Host name=“$WORKSH_HOST” redirectToSSL=“443”>
<Path name=“secure2” authType=“shibboleth”
requireSession=“true”/>
</Host>
• Module (mod_shib or ISAPI filter) provides request URL
to shibd to process it
• Clearing session and then accessing /secure2/ now,
one also is forced to authenticate
121
RequestMap “Fragility”
• By default, Apache "trusts" the user’s web browser about what the
requested hostname is and reports that value internally
• To illustrate the problem, try accessing this URL:
https://$IP/secure2
Script can be accessed unprotected/without a session… ?
• How to fix? Make Apache use configured ServerName
httpd.conf
UseCanonicalName On
• IIS: normalizeRequest
https://spaces.internet2.edu/display/SHIB2/NativeSPISAPI
122
Other content settings
• Requesting types of authentication
– E.g enforce X.509 user certificate authentication
• Redirect to SSL
• Custom error handling pages to use
• Redirection-based error handling
– In case of an error, redirect user to custom error web page with
error message/type as GET arguments
• forceAuthn
– Disable Single-Sign on and force a re-authentication
• isPassive
– Check whether a user has an SSO session and if he has,
automatically create a session on SP without any user interaction
• Supplying a specific IdP to use for authentication
123
https://spaces.internet2.edu/display/SHIB2/NativeSPContentSettings
Lazy Sessions
• The mode of operation so far prevents an application
from running without a login.
• Two other very common cases:
– Public and private access to the same resources
– Separation of application and SP session
• Semantics are:
if valid session exists
– process it as usual (attributes in environment array,
REMOTE_USER, etc.)
But if a session does NOT exist or is invalid, ignore it
and pass on control to webserver/scripts
124
Lazy Sessions example
• Construct URL
https://$WORKSH_HOST/Shibboleth.sso/Login
?target=https://$WORKSH_HOST/Shibboleth.sso/Session
– Shibboleth handler: https://$WORKSH_HOST/Shibboleth.sso
– Session Initiator: /Login
– Target location: ?target=https://$WORKSH_HOST/Shibboleth.sso/Session
–
Other options:
https://spaces.internet2.edu/display/SHIB2/NativeSPSessionCreationParameters
• Most parameters can come from three places, in order
of precedence:
– Query string parameter to Shibboleth handler
– A content setting (Webserver config or RequestMap)
– <SessionInitiator> element
125
Lazy Sessions example
$ vim $DOCROOT/secure3/.htaccess
AuthType shibboleth
require shibboleth
• IIS: RequestMap entry for secure3
• Save PHP/ASP script from
worksh-idp.cc.kuleuven.be:
/home/shib/ShibbolethSPWorkshop/examples/lazy_session.[php|asp]
at
$DOCROOT/secure3/lazy_session.[php|asp]
Access https://$WORKSH_HOST/secure3/lazy_session.[php|asp]
126
Where to require a Shibboleth session
• Whole application with “required” Shibboleth session
– Easiest way to protect a set of documents
– No other authentication methods possible like this
• Whole application with “lazy” Shibboleth session
– Also allows for other authentication methods
– Authorization can only be done in application
• Only page that sets up application session
– Well-suited for dual login
– Application can control session time-out
– Generally the best solution
127
Configuration
•
•
•
•
•
•
•
Basic configuration
Attribute handling
Session Initiation
Access control
Adding a separate application
Service provider handlers
Session Initiators/Discovery
128
Access control
Goals:
1. Create some simple access control rules
2. Get an overview about the three ways to authorize users
3. Understand their advantages and disadvantages
129
Access control
• Two implementations are provided by the SP:
– .htaccess "require" rule processing
– XML-based policy syntax attached to content via RequestMap
• Third option: Integrate access control into
webapplication
130
https://spaces.internet2.edu/display/SHIB2/NativeSPAccessControl
Access control
+
-
1.a httpd.conf
1.b .htaccess
2. XML
AccessControl
3. Application
Access Control
 Easy to configure
 Can also protect
locations or virtual
files
 URL Regex
 Dynamic
 Easy to configure
 Platform
independent
 Powerful boolean
rules
 URL Regex
 Dynamic
 Very flexible and
powerful with
arbitrarily complex
rules
 URL Regex
Support
 Only works for
Apache
 Not dynamic
 Very limited rules
 Only works for
Apache
 Only usable with
“real” files and
directories
 XML editing
 Configuration error
can prevent SP
from restarting
 You have to
implement it
yourself
 You have to
maintain it yourself
131
1. Apache httpd.conf or .htaccess
• Work almost like known Apache “require” rules
require affiliation staff
require sn bar
• Special rules:
– shibboleth (no authorization)
– valid-user (require a session, but NOT identity)
– user (REMOTE_USER as usual)
– group (group files as usual)
– authnContextClassRef, authnContextDeclRef
• Default is boolean "OR”, use ShibRequireAll for AND rule
• Regular expressions supported using special syntax:
require mail ~ ^.*@(icts|law).kuleuven.be$
132
Side note: Aliases
• If in the attribute-map.xml file, there is a definition like:
<Attribute
name="urn:mace:dir:attribute-def:eduPersonAffiliation"
id="Shib-EP-Affiliation"
aliases="affiliation aff affil">
[…]/>
• This allows using rules aliases in authorization rules, e.g.:
require affiliation staff
#instead of
require Shib-EP-Affiliation staff
• Aliases can also be used in RequestMap
133
1. Example .htaccess file
• Require a user to be staff member
$DOCROOT/staff-only/.htaccess
AuthType Shibboleth
ShibRequestSetting requireSession 1
require unscoped-affiliation staff
• Access
https://$WORKSH_HOST/staff-only
with user “staff”, access should be granted
• Try the same with “shibN” user, access should be
denied
134
1. Advanced .htaccess file
• Require a user to be a student or to have an entitlement:
$ mkdir $DOCROOT/toledo
$ vim $DOCROOT/toledo/.htaccess
AuthType Shibboleth
ShibRequestSetting requireSession 1
require unscoped-affiliation student
require entitlement ~ .*toledo.*
Access:
https://$WORKSH_HOST/toledo
with user “student” and “staff”, access should be
granted.
• Try again with “shibN”, access should be denied.
135
2. XML access control
• Can be used for access control independent from web
server and operating system
• XML Access control rules can be embedded inside
RequestMap or can also be dynamically loaded from
external file.
WARNING: Can bring down entire webserver
• Same special rules as .htaccess, adds boolean
operators (AND,OR,NOT)
136
2. XML access control example
• Same as previous example but now with XML access
control embedded in RequestMap
$ vim $DOCROOT/toledo/.htaccess
AuthType Shibboleth
require shibboleth
$ vim $SHIB_CONF/shibboleth2.xml
<Host name=“$WORKSH_HOST">
[..]
<Path name=“toledo" authType="shibboleth" requireSession="true">
<AccessControl>
<OR>
<RuleRegex require="entitlement">.*toledo.*</RuleRegex>
<Rule require="unscoped-affiliation">student</Rule>
</OR>
</AccessControl>
</Path>
</Host>
137
3. Application managed access control
• Application can access and use Shibboleth attributes by
reading them from the web server environment
• Attributes then can be used for authentication/access
control/authorization
#PHP:
if ($_SERVER[‘affiliation’] == ‘staff’)
{ grantAccess() }
#Perl:
if ($ENV{‘affiliation’} == ‘staff’)
{ &grantAccess() }
#ASP:
if (Request.ServerVariables(‘affiliation’) == ‘staff’ ){
{ grantAccess() }
138
http://shib.kuleuven.be/download/sp/test_scripts/
3. Application managed access control
• Default is to use environment variables instead of HTTP
headers (Apache)
– Cannot be manipulated in any way from outside
• Unfortunately not all webservers support a mechanism
to create custom variables within webserver
(IIS,Sun/iPlanet)
Solution:
AuthType shibboleth
ShibRequestSetting requireSession 1
require shibboleth
ShibUseHeaders On
139
Configuration
•
•
•
•
•
•
•
Basic configuration
Attribute handling
Session Initiation
Access control
Adding a separate application
Service provider handlers
Session Initiators/Discovery
140
Adding a separate (Shibboleth) application
Goals:
1. Define another application
2. Protect new application
3. Know how to configure them if necessary
141
Terminology
• Service Provider (physical)
– An installation of the software on a server
• Service Provider/”Resource” (logical)
– Web resources viewed externally as a unit
– Each entityID identifies exactly one logical SP
• SP Application
– Web resources viewed internally as a unit
– Each applicationId identifies exactly one logical application
– A user session is bound to exactly one application
142
Virtualization concepts
• A single physical SP can host any number of logical SPs
– A logical SP can then include any number of "applications"
– Web virtual hosting is often related but is also independent
– Applications can inherit or override default configuration
settings on a piecemeal basis
• Multiple physical SPs can also act as a single logical SP
– Clustering for load balancing and failover
143
Adding an application
• Goal: Add a second application with a different entityID
living in its own virtual host
$SHIB_CONF/shibboleth2.xml
<RequestMap applicationId="default">
<Host name=“$IP” applicationId="alt"/>
[..]
<ApplicationOverride id="alt" entityID="https://$IP"/>
</ApplicationDefaults>
144
Adding an application
• For the additional application, canonical names should
be turned off again (unless you use Vhosts)
httpd.conf
UseCanonicalName Off
• Test application:
https://$IP/secure
• The IdP will throw an ERROR (entityID is not trusted)
Error Message: SAML 2 SSO profile is not configured for
relying party 'https://10.2.4.N'
• Check logging $SHIB_LOG/shibd.log and
$WEB_LOG/native.log (DEBUG)
You should see the new entityID
145
Adding an application
• <ApplicationOverride>
Rule of thumb is that any settings you don't override inside
the element will be inherited from the
<ApplicationDefaults> element that surrounds the
override .
– Limitations:
You have to supply all the settings needed in the <Sessions> element
because of the need to override the handlerURL.
You do NOT have to redefine all of the handler child elements.
• The handlerURL MUST be unique for each SP and MUST
map to the same applicationId
• Respect the XML sequence!
146
https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride
Clustering
• Configure multiple physical installations to share an
entityID, and possibly credentials
• Configuration files often can be identical across
servers that share an external hostname
• Session management:
– SP itself now clusterable via ODBC or memcached
– Host shibboleth service on one system
147
Configuration
•
•
•
•
•
•
•
Basic configuration
Attribute handling
Session Initiation
Access control
Adding a separate application
Service provider handlers
Session Initiators/Discovery
148
Service provider handlers
Goals:
1. Understand the idea of a handler
2. Get an overview about the different types of handlers
3. Know how to configure them if necessary
149
SP handlers
• "Virtual" applications inside the SP with API access:
– SessionInitiator (requests)
• E.g. /Shibboleth.sso/Login
– AssertionConsumerService (incoming SAML response)
• E.g. /Shibboleth.sso/SAML/POST
– LogoutInitiator (SP signout)
• E.g. /Shibboleth.sso/Logout
–
–
–
–
SingleLogoutService (incoming SLO)
ManageNameIDService (advanced SAML)
ArtifactResolutionService (advanced SAML)
Generic (diagnostics, other useful features)
E.g. /Shibboleth.sso/Session
/Shibboleth.sso/Status
/Shibboleth.sso/Metadata
150
https://spaces.internet2.edu/display/SHIB2/NativeSPHandler
SP handlers
•
The URL of a handler =
handlerURL + the Location of the handler.
– e.g. for a virtual host testsp.example.org with handlerURL of
"/Shibboleth.sso", a handler with a Location of "/Login" will be
https://testsp.example.org/Shibboleth.sso/Login
•
Handlers aren’t always SSL-only, but usually should be
(handlerSSL="true").
•
Metadata basically consists of entityID, keys and handlers
•
Handlers are never "protected" by the SP
–
But sometimes by IP address (e.g. with acl=“127.0.0.1”)
151
Configuration
•
•
•
•
•
•
•
Basic configuration
Attribute handling
Session Initiation
Access control
Adding a separate application
Service provider handlers
Session Initiators/Discovery
152
Session initiators/Discovery
Goals:
1. Understand the concepts of discovery/session initiation
2. Chains and protocol precedence
3. Overview about various discovery mechanisms
153
Session initiators / Discovery concepts
• Session initiator
Handler that created a SAML authN request for an IdP or uses a
discovery mechanism to identify the IdP
• Discovery (in Shibboleth)
Identifying the IdP of a particular user
• WAYF service
Old name in Shibboleth for a particular way to do discovery
• Handler chain
Sequence of handlers that share configuration and run
consecutively until “something useful happen” or an error occurs
154
https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator
Intranet case
• Single IdP, multiple protocols, no discovery:
<SessionInitiator type="Chaining" Location="/Login"
id="Intranet" isDefault="true" relayState="cookie"
entityID="urn:mace:kuleuven.be:kulassoc:kuleuven.be">
<SessionInitiator type="SAML2" defaultACSIndex="1"
template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
</SessionInitiator>
• Protocol precedence controlled by order of
SessionInitiators within a chain
• Common properties defined at the top are
inherited by SessionInitiators in chain
155
Change protocol precedence
• Example: switch order of chain
<SessionInitiator type="Chaining" Location="/Login"
id="Intranet" isDefault="true" relayState="cookie"
entityID="urn:mace:kuleuven.be:kulassoc:kuleuven.be">
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
<SessionInitiator type="SAML2" defaultACSIndex="1"
template="bindingTemplate.html"/>
</SessionInitiator>
• Still allows either protocol, but if the IdP supports
Shibboleth profile of SAML1, it will be preferred
156
Identity provider discovery
• Protocol SessionInitiators work when the IdP is known
• For consistency, discovery is implemented with
alternate SessionInitiators that operate only when the
IdP is NOT known
• A typical federated chain includes one or more
"protocol" handlers followed by a single "discovery"
handler at the end, like a safety net
157
Typical discovery methods
• External options:
– Older WAYF model, specific to Shibboleth/SAML1, SP loses
control if a problem occurs
– Newer SAMLDS model, recently standardized, supports
multiple SSO protocols and allows the SP to control the
process
• Internal options:
– Implemented by an application (e.g. Toledo)
– Followed by a redirect with the entityID:
/Shibboleth.sso/Login?entityID=urn:mace:kuleuven.be:kulassoc:kuleuven.be
– Advanced "Cookie", "Form", and "Transform" SessionInitiators
158
Discovery service case (default)
• Multiple protocols, discovery via DS:
<SessionInitiator type="Chaining" Location="/DS"
id=“DS" isDefault="true" relayState="cookie”>
<SessionInitiator type="SAML2" defaultACSIndex="1"
template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
<SessionInitiator type="SAMLDS"
URL="https://wayf.associatie.kuleuven.be/shibboleth-wayf/WAYF"/>
</SessionInitiator>
• Same as intranet case, but omits entityID and adds the
safety net at the bottom
• Last SessionInitiator in chain tells the DS to return the
user to this location with a lazy session redirect that will
invoke an earlier handler (SAML2 or Shib1) in the chain
159
External discovery/WAYF
+
– Easy to use
– Choice can be cached in cookie
– DS displays only applicable IdPs
-
– Loss of control, UI fidelity
– Impact of errors
– List of IdPs can become very long
160
Conclusions
•
•
•
•
•
•
•
•
Introduction: “What is Shibboleth?”
Shibboleth 2.x: “What has changed?”
Concept of Federation
Resource Registry
A word on ADFS
Installation
Bootstrapping SP
Configuration
161