Upload
nobby
View
1.546
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Single-Sign-OnwithLenyaandShibboleth
JannForrer,UniversityofZurichAndreasHartmann,BeCompanyGmbH
1
Agenda
Authenticationandauthorizationinfrastructure
Single-Sign-OnwithShibboleth
IntegrationinApacheLenya
Attribute-basedauthorization
Attributeruleevaluationoptions
2
AuthenticationandAuthorizationInfrastructure
3
WithoutAAI
University!of!Zurich
University!of!Berne
E-Learning
Course!Reg.
Web!Mail
Research!DB
Library
Student!Admin.
Authentication Authorization
4
Withstandards-basedAAI
University!of!Zurich
University!of!Berne
E-Learning
Course!Reg.
Web!Mail
Research!DB
Library
Student!Admin.
A!A!I
Authentication Authorization
5
Benefits
• VirtualizedID:Serviceproviderscansaveregistrationandadministrationefforts
• Standardizedinterfaces:Serviceproviderscaneasilyintegrateusersofotherorganizations
• Standardizedauthentication:Userscanaccessvariousservicesatdifferentorganizationswithasinglepassword
6
IdentityProvider(IdP)
• aka„homeorganizations“
• Universities,Libraries,Hospitals,...
• Responsibilities:• Registeringusers• Maintaininguserinformation(„attributes“)• Providinganauthenticationservice• Providingcredentialsforauthorizationdecisions
7
ServiceProvider(SP)
• aka„resources“
• providerestrictedinformation/applications
• Benefits:• Noregistrationauthoritynecessary• Nousermanagementnecessary• UserbasegrowswithregisteredIdPs• Reliablesecuritymechanism• Accesstostandardizedattributesforauthorization
8
SWITCHAAIAttributes
• swissEduPersonUniqueID• surname• givenName• swissEduPersonDateOfBirth• swissEduPersonGender• preferredLanguage• mail• swissEduPersonHomeOrganization• swissEduPersonHomeOrganizationType• ...
9
Single-Sign-OnwithShibboleth
10
Accessing!a!Service
Browser
SP
WAYF
IdP
Redirect!to!WAYF
Show!IdP!Selection
Login!Screen
Attribute!Request
Handle
Provide!Attributes
Granted!/Denied
Redirectto!IdP
Request!Protected
Page
Select!IdP
Authenti-cation
Username,!Password
...Attributes
11
TheShibbolethProject
• Internet2:USnetworkingconsortium,ledbyresearchandeducationcommunity
• MiddlewareArchitectureCommitteeforEducation• PKI• URNnamespace• coursedatainfrastructure• ...
• OpenSource(ApacheLicense2.0)
• Standardsbased:SAML,SSL,LDAP,...
12
AvailableSoftware
• ShibbolethProject:• ApachemodulesforSPandIdP• JavaSPimplementation(stalled)• NewJavaSPimplementationinprogress:
servletfilterwithinservlet2.4specification
• OLAT:• CustomSPimpl.basedonoldShibbolethJavaSP
• Lenya:• Uses(slightlymodified)OLATcode
13
IntegrationinApacheLenya
14
Browser
Main
Sitemap
WAYF
IdP
Login!Screen
Show!IdP!Selection
Login!Screen
Handle
Redirectto!IdP
Request!Protected
Page
Select!IdP
Authenti-cation
Username,!Password
Click!link!to!WAYF
Authentication:!Phase!1
15
Authentication:Phase2
Browser
Main
Sitemap IdP
Shibboleth
Authenticator
Attr.!Request
Service
AuthenticatorAction
Send!attr.!request
Provide!attributes
Create!transient
user!object,attach!it!to!the!session
Authenti-cation
Parse!SAML!response
Parse!SAML!response
16
Authentication:Classes
authenticate(Request)passAttributes(TransientUser,!Map)
ShibbolethAuthenticator
authenticate(Request)
<<interface>>Authenticator
requestAttributes(BPR)!:!Map
<<interface>>AttributeRequestService
translateSamlAttributes(Map)!:!Map
<<interface>>AttributeTranslator
getFirstName()getLastName()...
UserFieldsMapper
act(...)!:!Map
DelegatingAuthenticatorAction
authenticate(Request)
UserAuthenticator
17
Attribute-basedAuthorization
18
UserAttributesinLenya
• Expressionsforevaluation,e.g.• givenName==„John“&&surname==„Doe“• eduPersonScopedAffiliation==„student“
• Canbeobtainedfromvariousidentityproviders,e.g.• ShibbolethIdP(TransientUser)• LDAPserver(LDAPUser)
19
AttributeEvaluationinLenya
• InterfaceUserprovidesaccesstoattributes:User.getAttributeNames() : String[]User.getAttributeValues(String name): String[]
• InterfaceGroupallowstosetrules:Group.setRule(String)Group.getRule() : String
• MethodAbstractGroup.contains(Groupable)evaluatestheruleusingaRuleEvaluatorimplementation
20
AbstractGroup.contains()
public boolean contains(Groupable member) { boolean contains = members.contains(member);
if (!contains && member instanceof User && getRule() != null) {
User user = (User) member; AttributeRuleEvaluator evaluator = getAttributeRuleEvaluator(); contains = evaluator.isComplied(user, getRule()); }
return contains;}
21
UserAttributes:Classes
JexlEvaluator
setAttributeValues(String,!String[])
AbstractUservalidate(String)!:!ValidationResultisComplied(User,!String)!:!boolean
<<interface>>RuleEvaluator
getAttributeNames()!:!StringgetAttributeValues(String)!:!String
<<interface>>User
getMembers()!:!Groupable[]contains(Groupable)
<<interface>>Group
contains(Groupable)
AbstractGroup
AntlrEvaluator
getGroups()!:!Group[]
<<interface>>Groupable
*
22
AttributeRuleEvaluationOptions
23
JEXL
• AboutJEXL• JavaExpressionLanguage• ApacheJakartaCommonsproject• InspiredbyVelocityandtheJSTLexpr.language
• Advantages• Veryeasytointegrate(onlyacoupleoflines)• Nocustomgrammarnecessary
• Disadvantages• Nospecificrulesyntaxcheck• It‘sdifficulttoidentifydangerouscode
24
ANTLR• AboutANTLR• AnotherToolforLanguageRecognition• Frameworkforrecognizers,interpreters,parsers,...• basedonLL(k)grammars• 3-clauseBSDlicense
• Advantages• Customgrammarforstrictsyntaxcheck• Nodangerouscodeaccepted
• Disadvantages• Maintenanceandenhancementsrequirespecific
knowledge• Defaulterrormessagesarehardtounderstand
25
MoreOptions
• Differentlanguagerecognizergenerators• JavaCC• SableCC• CUP
• Pre-definedrulestoselectfrom
• GUI-basedruleediting(graphicalexpressioneditor)
26
QuestionsandDiscussion
27