Presentation is loading. Please wait.

Presentation is loading. Please wait.

TEIN Shibboleth Training Course Introduction to SAML/Shibboleth at ComLabs USDI ITB, 2014-01-18 (updated version)

Published byBarry Chambers Modified over 8 years ago

Similar presentations

Presentation on theme: "TEIN Shibboleth Training Course Introduction to SAML/Shibboleth at ComLabs USDI ITB, 2014-01-18 (updated version)"— Presentation transcript:

1 TEIN Shibboleth Training Course Introduction to SAML/Shibboleth at ComLabs USDI ITB, 2014-01-18 (updated version)

2 2  Separation of Authentication (authN) and Authorization (authZ)  An IdP manages “Identity” information and authenticates users  SPs refer result of authN (e.g. PW is matched) and Identity info (assertion)  Federation provides “Trust” among IdPs and SPs by defining “policy”  SSO technology preserves privacy  IdP sends least attributes (personal information) to SP  SP should clarify list of required attributes (mandatory/optional)  IdP admin can obtain agreement from users to send out attributes IdP SP user SP - ID - attr - ID - attr - ID - attr - ID - attr - ID - attr - ID - attr Without separation (past)With separation user 1 st access ID/PW (once) assertion 1 st access, ID/PW redirection 2 nd access, ID/PW 2 nd access

3 3 SP IdP (Identity Provider) DS (Discovery Service) SP (Service Provider) SP (Service Provider) SAML (Attribute)

4 IdP User Want to DL PPV Paper In CiNii He/She is a member of our University Please DL Want to DL from Science Direct as well You have authned. Please Want to update RefWorks record Once they’ve logged in then Single Sign On Personal Info DB ID & Password Redirect to IdP University 4 4 You have authned. Please Redirect to IdP, and back immediately (without entering password)

5  Facilitate Remote Access  Improve Usability by SSO etc. 5 Search Paper Read PaperMange Paper SSO

6 6  The Federation is  Secure, scalable and easy login architecture by using international standard protocol: SAML IdPSP AuthenticationAuthorization  Organization Name  Affiliation  Opaque ID  Mail Address  etc.

7 7 User Info LDAP SAML Standard Something like a Filter which mediates SAML message Shibboleth IdPShibboleth SP

8 PasswordProtectedTransport faculty (continue) 8

9 (continued) https://idp.nii.ac.jp/idp/shibboleth … https://mcus.nii.ac.jp/shibboleth-sp 9

10 10  Redirection to collaborate among SP/DS/IdP  HTTP redirect  Javascript (automatic POST of assertion)  Cookie management  Memorize session information on  Selected IdP on DS (Discovery Service)  Status being authenticated on a IdP  Status being authorized on an SP  Session encryption with SSL Server Certificate  To protect Password and Cookies from wiretapping

11 11 DS (Discovery Service)User SP (Resource Provider)IdP (Home Org) 1 2 3 4 67 9 1 4 7 9 5 8 Attribu tes Access Approved HTTPS

12 12 http://www.switch.ch/aai/demo/

13 13 IdP SP User (1) (2) (3) (4) (5) Assertion via Front-channel (1): access to SP (2): redirect to IdP (3): request for authentication (4): ID and password (5): assertion with attributes (requires Javascript) IdP SP User (1) (2) (3) (4) (5) (6) (7) Assertion via Back-channel (1): access to SP (2): redirect to IdP (3): request for authentication (4): ID and password (5): handle for attribute request (6): request for attributes with handle (7): assertion with attributes SAML 2.0 SAML 1.3 (Sequences on DS access omitted)

14 14 DS (Discovery Service)User SP (Resource Provider)IdP (Home Org) 1 2 3 4 67 9 1 4 7 9 5 Set Cookie 8 Attribu tes Access Approved

15 15  IdP selection at DS  A month or longer  Will be cleared after browser closed  You can choose when IdP selection (check box)  IdP session (you have been authenticated)  Will be cleared after browser close (logout by close)  Even if browser is not closed  Session timeout is managed by IdP  Re-authentication may be required by change of IP address at client side  SP session  Will be cleared after browser close (logout by close)  Clicking logout button on SP

16 16 DS (Discovery Service) User SP (Resource Provider)IdP (Home Org) Meta data Register Distribute (download) Distribute (download)

17  Number of contract can be reduced from N×M to N + M by introducing a uniform policy IdP SP IdP SP TFPTFP TFPTFP many Contracts a Contract Trust Framework 17 Trust Framework Provider

18 18 Federation Metadata Signed Info IdP Info SP Info ・ IdP-A Info ・ IdP-B Info ・・・・・ ・ SP-A Info ・ SP-B Info ・・・・・ ・ ID of IdP-A = entityID ・ Certificate ・ Protocol ・ Organization Info ・・・・・ ・ ID of SP-A = entityID ・ Certificate ・ Protocol ・ Organization Info ・・・・・ Entity Metadata (IdP) Entity Metadata (SP)

19 19 Federation DS (Discovery Service) Repository Federation Metadata IdP A SP A IdP B IdP C SP BSP C Entity Metadata Reliability of the relying party is confirmed by the singed metadata.

20 20 Shibboleth Daemon (shibd) Shibboleth Daemon (shibd) Session Initiator DS Assertion Consumer SAML POST Assertion Consumer SAML POST Attribute Authority Attribute Authority SSO Profile SSO Profile AuthN Engine AuthN Engine Username Password AuthN Username Password AuthN Form Tomcat IdP SP Apache / IIS Attribute DB AuthN DB LDAP/AD Web Resource Shibboleth Module (mod_shib) Browser https #.htaccess AuthType shibboleth ShibRequireSession On require valid-user (Shib 1.3) (port numbers: 443, 4443 or 8443. It depends on each SP) back channel front channel

21 21 LDAP attribute- resolver.xml attribute- policy.xml relying- party.xml shibboleth2. xml attribute- filter.xml Shibboleth IdP Shibboleth SP Trust BackingFile repository attribute- map.xml httpd SAML Web App Env. Val. http.conf.htaccess Access Control handler.xml login.config

22 22 Name (abbreviation)Description OrganizationName (o) English name of the organization jaOrganizationName (jao)Japanese name of the organization OrganizationalUnit (ou)English name of a unit in the organization jaOrganizationalUnit (jaou)Japanese name of a unit in the organization eduPersonPrincipalName (eppn)Uniquely identifies an entity in GakuNin eduPersonTargetedIDA pseudonym of an entity in GakuNin eduPersonAffiliationStaff, Faculty, Student, Member eduPersonScopedAffiliationStaff, Faculty, Student, Member with scope eduPersonEntitlementQualification to use a specific application SurName (sn)Surname in English jaSurName (jasn)Surname in Japanese givenNameGiven name in English jaGivenNameGiven name in Japanese displayNameDisplayed name in English jaDisplayNameDisplayed name in Japanese mailE-mail address gakuninScopedPersonalUniqueCodeStudent or faculty, staff number with scope Attributes managed by an IdP Released attributes are different among SPs SP-A (2 attr.s required) eppn (mandatory) eduPersonAffiliation (optional) SP-B (1 attr. required) eduPersonAffiliation (mandatory) SP-C (2 attr.s required) eduPersonTargetedID (mandatory) eduPersonEntitlement eduPersonScopedAffiliation (one of them is mandatory)

23 23  Anonymous  Any identifier is not sent  Fit for e-Journals (a member (of a department) of the organization can access)  Autonymous  eduPersonPrincipalName is sent  Unique identifier shared by all SPs (globally unique)  Similar to e-mail address  Pseudonymous  eduPersonTargetedID is sent [hash(ePPN, entityID of SP)]  Persistent unique identifier to each SP  To avoid correlation of user activities among SPs

24 24 idp.examlpe.asia sp.example.asia VirtualBox VM - CentOS Host OS Windows / Mac Host OS Windows / Mac browser “Host-only” network to communicate each other “NAT” network to access the Internet Internet  No DS (Discovery Service) provided  Use /etc/hosts instead of DNS LDAP sp2.example.asia VM - CentOS copy

25 25 1. Configure not to send out any attributes to all SPs. 2. Configure to send out only “eduPersonTargetedID” and “eduPersonPrincipalName” to all SP. 3. Configure to send out only “eduPersonTargetedID” for an SP. 4. Configure to send out “admin” as a value of “eduPersonEntitlement” for a user.  Ref.: https://wiki.shibboleth.net/confluence/x/GoBChttps://wiki.shibboleth.net/confluence/x/GoBC 5. Configure to filter values on “eduPersonEntitlement” to send out only a specific value for an SP.  Ref.: https://wiki.shibboleth.net/confluence/x/84BChttps://wiki.shibboleth.net/confluence/x/84BC

26 26 1. Configure to filter out all attributes received at an SP. 2. Configure on an IdP to send out multiple values on “eduPersonEntitlement”, then configure on an SP to filter them except one value 3. Configure on an IdP to send out a new attribute named “trainingTestAttribute”, then on an SP to receive it.

27 27 1. Confirm that password will not be required when you access to a second SP (SSO) 2. Authorize who are “staff” with “eduPersonAffiliation” 3. Authorize when “test” is included in “eduPersonEntitlement” 4. LazySession feature  Ref.: https://wiki.shibboleth.net/confluence/x/bYFChttps://wiki.shibboleth.net/confluence/x/bYFC 5. ForceAuthentication (forceAuthn) feature  Ref.: https://wiki.shibboleth.net/confluence/x/SIBChttps://wiki.shibboleth.net/confluence/x/SIBC 6. PassiveAuthentication (isPassive) feature  Ref.: https://wiki.shibboleth.net/confluence/x/SIBChttps://wiki.shibboleth.net/confluence/x/SIBC

Download ppt "TEIN Shibboleth Training Course Introduction to SAML/Shibboleth at ComLabs USDI ITB, 2014-01-18 (updated version)"

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Inter-Institutional Registration UNC Cause December 4, 2007.

Inter-Institutional Registration UNC Cause December 4, 2007.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Introduction to Identity Management Federation Kazu Yamaji, National Institute of Informatics, Japan.

Introduction to Identity Management Federation Kazu Yamaji, National Institute of Informatics, Japan.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
GakuNin Registration System Motonori Nakamura, NII Japan APAN33 rd Meeting (16 Feb. 2012)

GakuNin Registration System Motonori Nakamura, NII Japan APAN33 rd Meeting (16 Feb. 2012)
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
UK e-Science All Hands Meeting, September 2007 The GLASS Project: Supporting Secure Shibboleth-based Single Sign-On to Campus Resources John Watt (

UK e-Science All Hands Meeting, September 2007 The GLASS Project: Supporting Secure Shibboleth-based Single Sign-On to Campus Resources John Watt (

Similar presentations

Ads by Google