TEIN Shibboleth Training Course Introduction to SAML/Shibboleth at ComLabs USDI ITB, (updated version)

2  Separation of Authentication (authN) and Authorization (authZ)  An IdP manages “Identity” information and authenticates users  SPs refer result of authN (e.g. PW is matched) and Identity info (assertion)  Federation provides “Trust” among IdPs and SPs by defining “policy”  SSO technology preserves privacy  IdP sends least attributes (personal information) to SP  SP should clarify list of required attributes (mandatory/optional)  IdP admin can obtain agreement from users to send out attributes IdP SP user SP - ID - attr - ID - attr - ID - attr - ID - attr - ID - attr - ID - attr Without separation (past)With separation user 1 st access ID/PW (once) assertion 1 st access, ID/PW redirection 2 nd access, ID/PW 2 nd access

3 SP IdP (Identity Provider) DS (Discovery Service) SP (Service Provider) SP (Service Provider) SAML (Attribute)

IdP User Want to DL PPV Paper In CiNii He/She is a member of our University Please DL Want to DL from Science Direct as well You have authned. Please Want to update RefWorks record Once they’ve logged in then Single Sign On Personal Info DB ID & Password Redirect to IdP University 4 4 You have authned. Please Redirect to IdP, and back immediately (without entering password)

 Facilitate Remote Access  Improve Usability by SSO etc. 5 Search Paper Read PaperMange Paper SSO

6  The Federation is  Secure, scalable and easy login architecture by using international standard protocol: SAML IdPSP AuthenticationAuthorization  Organization Name  Affiliation  Opaque ID  Mail Address  etc.

7 User Info LDAP SAML Standard Something like a Filter which mediates SAML message Shibboleth IdPShibboleth SP

PasswordProtectedTransport faculty (continue) 8

(continued) … 9

10  Redirection to collaborate among SP/DS/IdP  HTTP redirect  Javascript (automatic POST of assertion)  Cookie management  Memorize session information on  Selected IdP on DS (Discovery Service)  Status being authenticated on a IdP  Status being authorized on an SP  Session encryption with SSL Server Certificate  To protect Password and Cookies from wiretapping

11 DS (Discovery Service)User SP (Resource Provider)IdP (Home Org) Attribu tes Access Approved HTTPS

12

13 IdP SP User (1) (2) (3) (4) (5) Assertion via Front-channel (1): access to SP (2): redirect to IdP (3): request for authentication (4): ID and password (5): assertion with attributes (requires Javascript) IdP SP User (1) (2) (3) (4) (5) (6) (7) Assertion via Back-channel (1): access to SP (2): redirect to IdP (3): request for authentication (4): ID and password (5): handle for attribute request (6): request for attributes with handle (7): assertion with attributes SAML 2.0 SAML 1.3 (Sequences on DS access omitted)

14 DS (Discovery Service)User SP (Resource Provider)IdP (Home Org) Set Cookie 8 Attribu tes Access Approved

15  IdP selection at DS  A month or longer  Will be cleared after browser closed  You can choose when IdP selection (check box)  IdP session (you have been authenticated)  Will be cleared after browser close (logout by close)  Even if browser is not closed  Session timeout is managed by IdP  Re-authentication may be required by change of IP address at client side  SP session  Will be cleared after browser close (logout by close)  Clicking logout button on SP

16 DS (Discovery Service) User SP (Resource Provider)IdP (Home Org) Meta data Register Distribute (download) Distribute (download)

 Number of contract can be reduced from N×M to N ＋ M by introducing a uniform policy IdP SP IdP SP TFPTFP TFPTFP many Contracts a Contract Trust Framework 17 Trust Framework Provider

18 Federation Metadata Signed Info IdP Info SP Info ・ IdP-A Info ・ IdP-B Info ・・・・・ ・ SP-A Info ・ SP-B Info ・・・・・ ・ ID of IdP-A ＝ entityID ・ Certificate ・ Protocol ・ Organization Info ・・・・・ ・ ID of SP-A ＝ entityID ・ Certificate ・ Protocol ・ Organization Info ・・・・・ Entity Metadata (IdP) Entity Metadata (SP)

19 Federation DS (Discovery Service) Repository Federation Metadata IdP A SP A IdP B IdP C SP BSP C Entity Metadata Reliability of the relying party is confirmed by the singed metadata.

20 Shibboleth Daemon (shibd) Shibboleth Daemon (shibd) Session Initiator DS Assertion Consumer SAML POST Assertion Consumer SAML POST Attribute Authority Attribute Authority SSO Profile SSO Profile AuthN Engine AuthN Engine Username Password AuthN Username Password AuthN Form Tomcat IdP SP Apache / IIS Attribute DB AuthN DB LDAP/AD Web Resource Shibboleth Module (mod_shib) Browser https #.htaccess AuthType shibboleth ShibRequireSession On require valid-user (Shib 1.3) (port numbers: 443, 4443 or It depends on each SP) back channel front channel

21 LDAP attribute- resolver.xml attribute- policy.xml relying- party.xml shibboleth2. xml attribute- filter.xml Shibboleth IdP Shibboleth SP Trust BackingFile repository attribute- map.xml httpd SAML Web App Env. Val. http.conf.htaccess Access Control handler.xml login.config

22 Name (abbreviation)Description OrganizationName (o) English name of the organization jaOrganizationName (jao)Japanese name of the organization OrganizationalUnit (ou)English name of a unit in the organization jaOrganizationalUnit (jaou)Japanese name of a unit in the organization eduPersonPrincipalName (eppn)Uniquely identifies an entity in GakuNin eduPersonTargetedIDA pseudonym of an entity in GakuNin eduPersonAffiliationStaff, Faculty, Student, Member eduPersonScopedAffiliationStaff, Faculty, Student, Member with scope eduPersonEntitlementQualification to use a specific application SurName (sn)Surname in English jaSurName (jasn)Surname in Japanese givenNameGiven name in English jaGivenNameGiven name in Japanese displayNameDisplayed name in English jaDisplayNameDisplayed name in Japanese mail address gakuninScopedPersonalUniqueCodeStudent or faculty, staff number with scope Attributes managed by an IdP Released attributes are different among SPs SP-A (2 attr.s required) eppn (mandatory) eduPersonAffiliation (optional) SP-B (1 attr. required) eduPersonAffiliation (mandatory) SP-C (2 attr.s required) eduPersonTargetedID (mandatory) eduPersonEntitlement eduPersonScopedAffiliation (one of them is mandatory)

23  Anonymous  Any identifier is not sent  Fit for e-Journals (a member (of a department) of the organization can access)  Autonymous  eduPersonPrincipalName is sent  Unique identifier shared by all SPs (globally unique)  Similar to address  Pseudonymous  eduPersonTargetedID is sent [hash(ePPN, entityID of SP)]  Persistent unique identifier to each SP  To avoid correlation of user activities among SPs

24 idp.examlpe.asia sp.example.asia VirtualBox VM - CentOS Host OS Windows / Mac Host OS Windows / Mac browser “Host-only” network to communicate each other “NAT” network to access the Internet Internet  No DS (Discovery Service) provided  Use /etc/hosts instead of DNS LDAP sp2.example.asia VM - CentOS copy

25 1. Configure not to send out any attributes to all SPs. 2. Configure to send out only “eduPersonTargetedID” and “eduPersonPrincipalName” to all SP. 3. Configure to send out only “eduPersonTargetedID” for an SP. 4. Configure to send out “admin” as a value of “eduPersonEntitlement” for a user.  Ref.: 5. Configure to filter values on “eduPersonEntitlement” to send out only a specific value for an SP.  Ref.:

26 1. Configure to filter out all attributes received at an SP. 2. Configure on an IdP to send out multiple values on “eduPersonEntitlement”, then configure on an SP to filter them except one value 3. Configure on an IdP to send out a new attribute named “trainingTestAttribute”, then on an SP to receive it.

27 1. Confirm that password will not be required when you access to a second SP (SSO) 2. Authorize who are “staff” with “eduPersonAffiliation” 3. Authorize when “test” is included in “eduPersonEntitlement” 4. LazySession feature  Ref.: 5. ForceAuthentication (forceAuthn) feature  Ref.: 6. PassiveAuthentication (isPassive) feature  Ref.: