1. Moonshot IdP Moonshot workshop 6.2.2014 Sami Silén, CSC

2. 2 Connect | Communicate | Collaborate About Moonshot IdP Moonshot IdP is a Radius server capable to authenticate users and deliver user attribute(s) in a SAML assertion. To Authenticate users in a service side, routing infrastructure is needed Eduroam Trust router Haka? Eduroam and Trust router? SAML Assertion with attributes Fetch from the Attribute Authority Query from the database and construct in Radius

3. 3 Connect | Communicate | Collaborate Eduroam in a nutshell User performs anonymous authentication if allowed (eg: unknown@csc.fi) unknown@csc.fi Message is routed to the home organization and TTLS protected inner-tunnel is established between client and home server. Inner-tunnel is then used for user authentication with real organizational credentials. After successful authentication response is sent via outer tunnel. TLRS (Top Level Radius Server ).FI.CSC.FI.OTHER.FI WLAN.OTHER.FI User from CSC

4. 4 Connect | Communicate | Collaborate Haka-federation in a nutshell IdP Organizational user repository SP SP user repository WAYF/DS User performs login to SP SP redirects user to DS for discovering where user is from. After discovery SP redirects user to the users organizational identity provider (IdP) where user performs authentication. IdP fetches user information and encrypts it before submission to the SP (via browser)

5. 5 Connect | Communicate | Collaborate Moonshot in a nutshell Someone could say it’s ”Eduroam + Haka” Haka authentication outside the web. In the world where there are no browser to pass assertion (response from IdP) nor DS for discovery. Discovery can be handled with Radius routing (or later via Trust router?). Assertion can be delivered inside Radius reply.

6. 6 Connect | Communicate | Collaborate Moonshot In a pilot phase topology is similar with eduroam. Radius server has to reply with assertion containing a EPPN attribute. Either by Creating it itself or requesting it from the SAML IdP..FI.TUT.FI.CSC.FI SERVICE.CSC.FI User from TUT

7. 7 Connect | Communicate | Collaborate Radius reply with SAML-AAA-Assertion Sending Access-Accept of id 16 to 192.168.1.20 port 41746 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = “jsmith" SAML-AAA-Assertion = " \n <ns0:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:na" SAML-AAA-Assertion = "meid-format:entity\">https://idp.example.com/idp/shibboleth <ns0:NameID Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:uid\" NameQualifier=\"https://idp.example.com/idp/shibboleth\" SPNameQualifier=\"https://idp.example.com" SAML-AAA-Assertion = "fi/metadata.xml\">jsmith@example.com https://idp.example.com/metadata.xml</ns0:Audie" SAML-AAA-Assertion = "nce> <ns0:AttributeValue ns1:" SAML-AAA-Assertion = "type=\"xs:string\" xmlns:ns1=\"http://www.w3.org/2001/XMLSchema- instance\">example.com <ns0:Attribute FriendlyName=\"eduPersonPrincipalName\" Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.6\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:“in SAML-AAA-Assertion = "attrname-format:uri\"> jsmith@example.com <ns0:Attribute FriendlyName=\"cn\" Name=\"urn:oid:2.5.4.3\" NameFormat=\"urn:oasis:n" SAML-AAA-Assertion = "ames:tc:SAML:2.0:attrname-format:uri\"> jsmith <ns0:Attribute FriendlyName=\"schacHomeOrganizationType\" Name=\"urn:oid:1.3" SAML-AAA-Assertion = ".6.1.4.1.25178.1.2.10\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"> urn:mace:terena.org:schac:homeOrganizationType:fi:university</ns0:At" SAML-AAA-Assertion = "tributeValue> Smith<" SAML-AAA-Assertion = "/ns0:AttributeValue> htt" SAML-AAA-Assertion = "ps://idp.example.com/logout_dummy.jsp <ns0:AttributeValue ns1:type" SAML-AAA-Assertion = "=\"xs:string\" xmlns:ns1=\"http://www.w3.org/2001/XMLSchema- instance\">jsmith " MS-MPPE-Recv-Key = 0xf0371df7e2ecc33c199f0b2fcc8e7c89126128ea4f99d3fef24a7d871a332089 MS-MPPE-Send-Key = 0x2a46f3e2a78c497726ceb159427223fb3730475b9dd9863162a9ac2618323c9b EAP-Message = 0x03080004

8. 8 Connect | Communicate | Collaborate Haka Moonshot Pilot Requirements Requirements (Server side) Radius server capable to Authenticate users Deliver assertion with eppn attribute taito-moonshot.csc.fi Moonshot Pilot Root server testidp.funet.fi SSH @csc.fi@helsinki.fi@tut.fi accounts.csc.fi Requirements (Client side) Linux workstation with Moonshot UI, libraries and openSSH Windows workstation with Moonshot libraries (Windows SSP) Credentials in Windows Credential Manager SSH Client supporting GSS API (Pending)

9. 9 Connect | Communicate | Collaborate Moonshot IdP configuration Preconditions Radius configured according to eduroam instructions https://info.funet.fi/wiki/display/avoin/FreeRADIUSen+konfigurointi (FR3) http://confluence.diamond.ac.uk/pages/viewpage.action?pageId=25140711 Radius configured to add SAML-AAAA-Assertion to reply Shibboleth Identity Provider with soap endpoint configured – https://wiki.shibboleth.net/confluence/display/SHIB2/IdPApacheTomcatPrepare https://wiki.shibboleth.net/confluence/display/SHIB2/IdPApacheTomcatPrepare – https://wiki.shibboleth.net/confluence/display/SHIB2/IdPJetty7Prepare https://wiki.shibboleth.net/confluence/display/SHIB2/IdPJetty7Prepare OR Radius configured to build SAML-AAAA-Assertion itself. – http://confluence.diamond.ac.uk/pages/viewpage.action?pageId=25140711 (Gives an idea how to build assertion with freeradius) http://confluence.diamond.ac.uk/pages/viewpage.action?pageId=25140711

10. 10 Connect | Communicate | Collaborate Assertion with Radius # # Look up our Moonshot local user (the FedId) from our "fed_id_map" table (the glue between CUI and the FedID). # Any non-association will get the CUI as the user # # Only requests that contain a GSS attribute will get a SAML assertion # if ( ("%{request:GSS-Acceptor-Service-Name}") && ("%{request:GSS-Acceptor-Host-Name}") ) { update control { Tmp-String-1 := `/bin/date -u +%FT%TZ` Tmp-String-2 := `/usr/bin/uuidgen` } update reply { SAML-AAA-Assertion = " " SAML-AAA-Assertion += ' urn:mace:incommon:osu.edu ' SAML-AAA-Assertion += ' ' SAML-AAA-Assertion += ' ' SAML-AAA-Assertion += " %{%{reply:Chargeable-User-Identity}:- unknown}@diamond.ac.uk " SAML-AAA-Assertion += ' ' SAML-AAA-Assertion += ' ' SAML-AAA-Assertion += " %{%{sql:SELECT fed_id_map.local_uid FROM `fed_id_map` WHERE fed_id_map.rad_cui = '%{reply:Chargeable-User-Identity}'}:-%{reply:Chargeable-User-Identity}} " SAML-AAA-Assertion += ' ' SAML-AAA-Assertion += ' ' SAML-AAA-Assertion += ' ' } } Example: Not tested http://confluence.diamond.ac.uk/plugins/viewsource/viewpagesrc.action?pageId=22252823

11. 11 Connect | Communicate | Collaborate Assertion from Shibboleth IdP Freeradius-pysaml2 is a python module you can use to fetch information about user from a SAML2 Attribute Authority (AA) Platform requirements RPMS: libxml2-devel libxslt-devel libtool-ltdl-devel make python- mako memcached python-memcached python-setuptools gcc Python Modules: argparse (easy_install argparse, needed by make_metadata.py) Other (download and compile): – Pysaml2 https://github.com/rohe/pysaml2 https://github.com/rohe/pysaml2 – Xmlsec http://www.aleksey.com/xmlsec/download.htmlhttp://www.aleksey.com/xmlsec/download.html – Repoze.who (should install automatically when needed)

12. 12 Connect | Communicate | Collaborate Freeradius-pysaml2 Freeradius-pysaml2 https://github.com/rohe/freeradius_pysaml2https://github.com/rohe/freeradius_pysaml2 Before compilation configure module accordingly (README). Destination folder for freeradius-pysaml2 is /usr/local/etc/moonshot Also trust must be established between radius and IdP (metadata exchange). Configuration files: aa_config.py (make a copy of this to config.py) pysaml_config.py

13. 13 Connect | Communicate | Collaborate Freeradius-pysaml2 config.py CONFIG = 'pysaml_config' # PySAML2 Configuration file name IDENTITY_CACHE = "/usr/local/etc/moonshot/identity_cache" STATE_CACHE = "/usr/local/etc/moonshot/state_cache" METADATA_FILE = "/usr/local/etc/moonshot/metadata.xml“ SIGN = False SP_NAME_QUALIFIER = "https://idp.example.com/metadata.xml" NAME_QUALIFIER = “https://idp.example.com/idp/shibboleth"“https://idp.example.com/idp/shibboleth NAMEID_FORMAT = "urn:oasis:names:tc:SAML:2.0:nameid-format:eduPersonPrincipalName" # This is necessary to pick information about the right AA from the metadata file. This must be the entity ID of # the AA not the endpoint ATTRIBUTE_AUTHORITY = "https://idp.example.com/idp/shibboleth" # Attribute filters per service@hostname the key are GSS-Acceptor-Service-Name+': # '+GSS-Acceptor-Host-Name and the attribute names are the so called friendly-names ATTRIBUTE_FILTER = { "ldap:example.com": ["eduPersonPrincipalName"], }

14. 14 Connect | Communicate | Collaborate NameID NameID is used to identify the person that the IdP has issued an assertion about. Name identifiers can be anything; an email address or a Kerberos principal name are common, every-day examples of such information. In earlier config.py we configured NAMEID_FORMAT = "urn:oasis:names:tc:SAML:2.0:nameid-format:eduPersonPrincipalName“ From radius server we receive userid with realm, therefore it might be convenient to use eduPersonPrincipalName as a NameID(on most cases I assume that this is eppn). Example of soap message generated by freeradius-pysaml2 https://idp.example.com/metadata.xml jsmith@example.com

15. 15 Connect | Communicate | Collaborate Direct Principal Connector IdP maps a name identifier back in to an identifier for the user (e.g. their login id). This identifier is known as a principal name and so the plugin that connects the name identifier to a principal name is known as the PrincipalConnector. “Direct” assumes the value of the name identifier is the user's principal name and as such performs no mapping If we’re using following Principal Connector we have to filter domain part before we can match it to login id

16. 16 Connect | Communicate | Collaborate Remove realm from the Principal RegexSplit for removing everything after @ <resolver:AttributeDefinition xsi:type="RegexSplit" dependencyOnly="true" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="regex_principal_split" sourceAttributeID="principal" regex="^(.*?)(@.*)?$"> In resolver:DataConnector add dependency for regex_principal_split and use splitted value, this works if you don’t have any userid with @ on it. <![CDATA[ (sAMAccountName=${regex_principal_split.get(0)}) ]]> Approach by Paul Caskey https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAttrResolvRemoveKerbRealmhttps://wiki.shibboleth.net/confluence/display/SHIB2/IdPAttrResolvRemoveKerbRealm

17. 17 Connect | Communicate | Collaborate Freeradius-pysaml2 pysaml_config.py Sections from pysaml_config.py to be checked out BASE = https://idp.example.com/https://idp.example.com/ CONFIG = { "service": { "sp": { "required_attributes": ["eduPersonPrincipalName"], "optional_attributes": ["schacHomeOrganization","schacHomeOrganizationType"], "key_file": BASEDIR + "pki/ssl.key", "cert_file": BASEDIR + "pki/ssl.cert", "xmlsec_binary": "/usr/local/bin/xmlsec1", "organization": { }, "contact_person": [{ }],

18. 18 Connect | Communicate | Collaborate Freeradius-pysaml2 installation Generate metadata file for radius make_metadata.py pysaml_config.py > moonshot-radius.xml Set metadata for IdP/AA you want to use in etc/metadata.xml Set key/certificate to the pki directory (ssl.cert, ssl.key) modify template/modules_python_aa Replace freeradius-pysaml2 with freeradius_aa Copy template/modules_python_aa to /etc/raddb/modules/modules_python and template/modules_python Uncomment following from the freeradius_aa.py, CONFIG_DIR = "/usr/local/etc/moonshot" sys.path.insert(0, CONFIG_DIR)

19. 19 Connect | Communicate | Collaborate Freeradius-pysaml2 compilation Compile freeradius-pysaml2 module Checkout that radius has access to just created directory structure /usr/local/etc/moonshot (Radius has to have write access).

20. 20 Connect | Communicate | Collaborate Freeradius-pysaml2 deploying instructions Start radius server in the foreground (radiusd –fXxx) Before ldap integration, testing with steve/testing may be feasible (enable from users file) Login can be tested with ’radtest steve "testing" localhost 1 testing123’ It’s easier to test in default before going to inner-tunnel

21. 21 Connect | Communicate | Collaborate Open questions? Is security of outer-tunnel enough for attributes? Audiense in response (For who it is)?. Response/Assertion signing is not working, but maybe this is only valid when audience is used.

22. 22 Connect | Communicate | Collaborate www.geant.net www.twitter.com/GEANTnews | www.facebook.com/GEANTnetwork | www.youtube.com/GEANTtv Connect | Communicate | Collaborate Thank you!