27
Single-Sign-Onwith LenyaandShibboleth JannForrer,UniversityofZurich AndreasHartmann,BeCompanyGmbH 1

Lenya and Shibboleth

  • Upload
    nobby

  • View
    1.546

  • Download
    3

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: Lenya and Shibboleth

Single-Sign-OnwithLenyaandShibboleth

JannForrer,UniversityofZurichAndreasHartmann,BeCompanyGmbH

1

Page 2: Lenya and Shibboleth

Agenda

Authenticationandauthorizationinfrastructure

Single-Sign-OnwithShibboleth

IntegrationinApacheLenya

Attribute-basedauthorization

Attributeruleevaluationoptions

2

Page 3: Lenya and Shibboleth

AuthenticationandAuthorizationInfrastructure

3

Page 4: Lenya and Shibboleth

WithoutAAI

University!of!Zurich

University!of!Berne

E-Learning

Course!Reg.

Web!Mail

Research!DB

Library

Student!Admin.

Authentication Authorization

4

Page 5: Lenya and Shibboleth

Withstandards-basedAAI

University!of!Zurich

University!of!Berne

E-Learning

Course!Reg.

Web!Mail

Research!DB

Library

Student!Admin.

A!A!I

Authentication Authorization

5

Page 6: Lenya and Shibboleth

Benefits

• VirtualizedID:Serviceproviderscansaveregistrationandadministrationefforts

• Standardizedinterfaces:Serviceproviderscaneasilyintegrateusersofotherorganizations

• Standardizedauthentication:Userscanaccessvariousservicesatdifferentorganizationswithasinglepassword

6

Page 7: Lenya and Shibboleth

IdentityProvider(IdP)

• aka„homeorganizations“

• Universities,Libraries,Hospitals,...

• Responsibilities:• Registeringusers• Maintaininguserinformation(„attributes“)• Providinganauthenticationservice• Providingcredentialsforauthorizationdecisions

7

Page 8: Lenya and Shibboleth

ServiceProvider(SP)

• aka„resources“

• providerestrictedinformation/applications

• Benefits:• Noregistrationauthoritynecessary• Nousermanagementnecessary• UserbasegrowswithregisteredIdPs• Reliablesecuritymechanism• Accesstostandardizedattributesforauthorization

8

Page 9: Lenya and Shibboleth

SWITCHAAIAttributes

• swissEduPersonUniqueID• surname• givenName• swissEduPersonDateOfBirth• swissEduPersonGender• preferredLanguage• mail• swissEduPersonHomeOrganization• swissEduPersonHomeOrganizationType• ...

9

Page 10: Lenya and Shibboleth

Single-Sign-OnwithShibboleth

10

Page 11: Lenya and Shibboleth

Accessing!a!Service

Browser

SP

WAYF

IdP

Redirect!to!WAYF

Show!IdP!Selection

Login!Screen

Attribute!Request

Handle

Provide!Attributes

Granted!/Denied

Redirectto!IdP

Request!Protected

Page

Select!IdP

Authenti-cation

Username,!Password

...Attributes

11

Page 12: Lenya and Shibboleth

TheShibbolethProject

• Internet2:USnetworkingconsortium,ledbyresearchandeducationcommunity

• MiddlewareArchitectureCommitteeforEducation• PKI• URNnamespace• coursedatainfrastructure• ...

• OpenSource(ApacheLicense2.0)

• Standardsbased:SAML,SSL,LDAP,...

12

Page 13: Lenya and Shibboleth

AvailableSoftware

• ShibbolethProject:• ApachemodulesforSPandIdP• JavaSPimplementation(stalled)• NewJavaSPimplementationinprogress:

servletfilterwithinservlet2.4specification

• OLAT:• CustomSPimpl.basedonoldShibbolethJavaSP

• Lenya:• Uses(slightlymodified)OLATcode

13

Page 14: Lenya and Shibboleth

IntegrationinApacheLenya

14

Page 15: Lenya and Shibboleth

Browser

Main

Sitemap

WAYF

IdP

Login!Screen

Show!IdP!Selection

Login!Screen

Handle

Redirectto!IdP

Request!Protected

Page

Select!IdP

Authenti-cation

Username,!Password

Click!link!to!WAYF

Authentication:!Phase!1

15

Page 16: Lenya and Shibboleth

Authentication:Phase2

Browser

Main

Sitemap IdP

Shibboleth

Authenticator

Attr.!Request

Service

AuthenticatorAction

Send!attr.!request

Provide!attributes

Create!transient

user!object,attach!it!to!the!session

Authenti-cation

Parse!SAML!response

Parse!SAML!response

16

Page 17: Lenya and Shibboleth

Authentication:Classes

authenticate(Request)passAttributes(TransientUser,!Map)

ShibbolethAuthenticator

authenticate(Request)

<<interface>>Authenticator

requestAttributes(BPR)!:!Map

<<interface>>AttributeRequestService

translateSamlAttributes(Map)!:!Map

<<interface>>AttributeTranslator

getFirstName()getLastName()...

UserFieldsMapper

act(...)!:!Map

DelegatingAuthenticatorAction

authenticate(Request)

UserAuthenticator

17

Page 18: Lenya and Shibboleth

Attribute-basedAuthorization

18

Page 19: Lenya and Shibboleth

UserAttributesinLenya

• Expressionsforevaluation,e.g.• givenName==„John“&&surname==„Doe“• eduPersonScopedAffiliation==„student“

• Canbeobtainedfromvariousidentityproviders,e.g.• ShibbolethIdP(TransientUser)• LDAPserver(LDAPUser)

19

Page 20: Lenya and Shibboleth

AttributeEvaluationinLenya

• InterfaceUserprovidesaccesstoattributes:User.getAttributeNames() : String[]User.getAttributeValues(String name): String[]

• InterfaceGroupallowstosetrules:Group.setRule(String)Group.getRule() : String

• MethodAbstractGroup.contains(Groupable)evaluatestheruleusingaRuleEvaluatorimplementation

20

Page 21: Lenya and Shibboleth

AbstractGroup.contains()

public boolean contains(Groupable member) { boolean contains = members.contains(member);

if (!contains && member instanceof User && getRule() != null) {

User user = (User) member; AttributeRuleEvaluator evaluator = getAttributeRuleEvaluator(); contains = evaluator.isComplied(user, getRule()); }

return contains;}

21

Page 22: Lenya and Shibboleth

UserAttributes:Classes

JexlEvaluator

setAttributeValues(String,!String[])

AbstractUservalidate(String)!:!ValidationResultisComplied(User,!String)!:!boolean

<<interface>>RuleEvaluator

getAttributeNames()!:!StringgetAttributeValues(String)!:!String

<<interface>>User

getMembers()!:!Groupable[]contains(Groupable)

<<interface>>Group

contains(Groupable)

AbstractGroup

AntlrEvaluator

getGroups()!:!Group[]

<<interface>>Groupable

*

22

Page 23: Lenya and Shibboleth

AttributeRuleEvaluationOptions

23

Page 24: Lenya and Shibboleth

JEXL

• AboutJEXL• JavaExpressionLanguage• ApacheJakartaCommonsproject• InspiredbyVelocityandtheJSTLexpr.language

• Advantages• Veryeasytointegrate(onlyacoupleoflines)• Nocustomgrammarnecessary

• Disadvantages• Nospecificrulesyntaxcheck• It‘sdifficulttoidentifydangerouscode

24

Page 25: Lenya and Shibboleth

ANTLR• AboutANTLR• AnotherToolforLanguageRecognition• Frameworkforrecognizers,interpreters,parsers,...• basedonLL(k)grammars• 3-clauseBSDlicense

• Advantages• Customgrammarforstrictsyntaxcheck• Nodangerouscodeaccepted

• Disadvantages• Maintenanceandenhancementsrequirespecific

knowledge• Defaulterrormessagesarehardtounderstand

25

Page 26: Lenya and Shibboleth

MoreOptions

• Differentlanguagerecognizergenerators• JavaCC• SableCC• CUP

• Pre-definedrulestoselectfrom

• GUI-basedruleediting(graphicalexpressioneditor)

26

Page 27: Lenya and Shibboleth

QuestionsandDiscussion

27