Delegated Authentication with Shibboleth - Internet2
Transcript of Delegated Authentication with Shibboleth - Internet2
![Page 1: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/1.jpg)
Delegated Authentication with
ShibbolethAndrew PetroSoftware Developer
Unicon, Inc.
Fall 2010 Internet2 Membership MeetingAtlanta, GA
03 November 2010
© Copyright Unicon, Inc., 2010. Some rights reserved. This work is licensed under aCreative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/
![Page 2: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/2.jpg)
2
This Talk
● Delegated authentication using SAML and Shibboleth– Why you need it
– What it is
– Software for implementing it
![Page 3: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/3.jpg)
3
Goals for this talk
● Understand delegation use case in abstract● See why this is important in enterprise
portals● Understand that standard support and
implementation of relevant features are in Shibboleth IdP and SP today
● Awareness of Java library and example code making use of this
![Page 4: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/4.jpg)
4
Agenda
1. Introduction
2. Use Case
3. How It Works
4. Software
5. Next Steps
![Page 5: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/5.jpg)
5
Introduction
![Page 6: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/6.jpg)
6
Introduction
● Andrew Petro; Software Developer; Unicon, Inc.– Jasig CAS steering committee
– Jasig uPortal committer
– etc.
![Page 7: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/7.jpg)
7
My employer: Unicon
● Jasig CAS Solutions Provider● InCommon Affiliate
www.unicon.net
![Page 8: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/8.jpg)
8
Use Case
![Page 9: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/9.jpg)
9
Delegated Authentication
● System B authenticates to System C on behalf of Person A
● That is, A authenticates to B and delegates authority to B for the purpose of authenticating to C as “B on behalf of A”
System B System C
Person A
![Page 10: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/10.jpg)
10
Delegation example
uPortal
Email Preview Portlet
IMAP Server
![Page 11: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/11.jpg)
11
Delegation example *
uPortal
Email Preview Portlet
IMAP Server* Warning: this is a bad example because IMAP is an anemic protocol. This slide motivates delegation concept, not implementation.
![Page 12: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/12.jpg)
12
Credential Replay
● Special (blunt) case of delegated authentication
● System B can authenticate on behalf of Person A because B borrows the credentials (password!) of A
Portal
Email Portlet
IMAP ServerPassword
![Page 13: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/13.jpg)
Portal
Password Replay
Password-Protected Service
Password-Protected Service
Password-Protected Service
Portlet
Portlet
Portlet
PW
PW
PW
PW
PW
PW
PW
PW
PW
PW
PW
![Page 14: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/14.jpg)
14
Authenticating Services to Services
● Credential replay?● Service credentials and trust relationships?● Topological restrictions?
● Sure, but what about the “on behalf of a user” part?
![Page 15: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/15.jpg)
15
RDBMS / JDBC Example
● How 'bout a portlet that reflects library account?
You have 6 checked out books.4 of these are overdue, accumulating $1.00 in fines each day. You should return them.
You currently owe the library $10.25. You should pay this fine or, like, you won't graduate.
My Library Account
![Page 16: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/16.jpg)
16
RDBMS / JDBC Example
You have 6 checked out books.
My Library Account
Library Accounts
SELECT * FROM CHECKED_OUT_BOOKS WHERE PATRON_ID = ?;
![Page 17: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/17.jpg)
17
RDBMS / JDBC Example
You have 6 checked out books.
My Library Account
Library Accounts
SELECT * FROM CHECKED_OUT_BOOKS
WHERE PATRON_ID = ?;
Portlet asserts identity of user.
![Page 18: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/18.jpg)
18
RDBMS / JDBC Example
You have 6 checked out books.
My Library Account
Library Accounts
SELECT * FROM CHECKED_OUT_BOOKS
WHERE PATRON_ID = ?;
Portlet arbitrarily asserts identity of user.
![Page 19: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/19.jpg)
19
Authenticating Services to Services
● Credential replay?● Service credentials and trust relationships?● Topological restrictions?
● Sure, but what about the “on behalf of a user” part?
![Page 20: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/20.jpg)
20
Authenticating only service?
● Service credentials and trust relationships?
Library Accounts
You have 6 checked out books.
My Library Account
SELECT * FROM CHECKED_OUT_BOOKS
WHERE PATRON_ID = ?;
![Page 21: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/21.jpg)
21
CAS proxy tickets
Portal
LibraryAccountPortlet
LibrarySystem
CAS “proxy ticket” - not end user password
XML representing library account
CAS client library
● CAS proxy tickets authenticate service on behalf of user
![Page 22: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/22.jpg)
22
Delegated SAML Assertions
Portal
Library AccountPortlet
Library System
Delegated SAML Assertion - not end user password
XML representing library account
ShibSPe.g.
● Delegated SAML assertions also authenticate a service on behalf of a user
![Page 23: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/23.jpg)
23
Enterprise Portal
● Dashboards● Service delivery platform
● Portlets using delegated authentication to access backing services on user's behalf is a common pattern in enterprise portals
![Page 24: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/24.jpg)
Portal
Password Replay
Password-Protected Service
Password-Protected Service
Password-Protected Service
Portlet
Portlet
Portlet
PW
PW
PW
PW
PW
PW
PW
PW
PW
PW
PW
![Page 25: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/25.jpg)
Portal
Proxy CAS
CAS-client-library-
protected service
CAS-client-library-
protected service
CAS-client-library-
protected service
Portlet
Portlet
Portlet
ST
PGT
PT
PT
PT
PT
PT
PT
* This slide grossly simplifies some nice considerations not shown.
![Page 26: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/26.jpg)
Portal
Delegated SAML Authentication
SP-protected service
SP-protected service
SP-protected service
Portlet
Portlet
Portlet
SAML
SAML
SAML
SAML
SAML
SAML
SAML
SAML
* This slide grossly simplifies some nice considerations not shown.
![Page 27: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/27.jpg)
27
How It Works
![Page 28: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/28.jpg)
28
Short version
● Attempt to access resource (WSP), get authentication request
● Modify authentication request with original SAML and present to IdP
● IdP responds with a new SAML assertion successfully responsive to authentication request from WSP
● Present new assertion to WSP, get original resource, set some headers to continue connecting
![Page 29: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/29.jpg)
29
Portal layer
● User logs in to portal with SAML assertion
● Portal gets raw SAML assertion from SP● uPortal selectively releases SAML
assertion to portlets
![Page 30: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/30.jpg)
30
Opting in a portlet
In portlet.xml:
<user-attribute>
<description>
SAML Assertion</description>
<name>samlAssertion</name>
</user-attribute>
![Page 31: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/31.jpg)
31
Portlet gets assertion from portal
PortletRequest request;
Map userInfo = (Map)
request.getAttribute(
PortletRequest.USER_INFO);
String samlAssertion = (String)
userInfo.get("samlAssertion");
![Page 32: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/32.jpg)
32
SAML Delegation Java Library
● Abstracts getting from IdP a delegated SAML assertion from the raw initial SAML assertion
● Abstracts using delegated SAML assertion (via HttpClient abstraction)
![Page 33: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/33.jpg)
33
Attempts to get the resource
● Response, presumably from the Shibboleth SP, is a request for authentication
● “PAOS”
![Page 34: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/34.jpg)
34
Process WSP response
● Changes the authentication request response from WSP per Enhanced Client Profile
● Removes some elements● Adds original SAML assertion that
authenticated user to portal
![Page 35: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/35.jpg)
35
Presents modified request to IdP
● Presents modified request for authentication, including embedded original SAML assertion authenticating user to portal, to IdP
● This authenticates the portal to IdP (via certificate)
● This authenticates the context to IdP (on behalf of the user authenticated by the prior SAML assertion)
![Page 36: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/36.jpg)
36
IdP responds with SAML assertion
● IdP responds with a SAML assertion suitable for presentation to the backing WSP, authenticating the portal and the delegation
![Page 37: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/37.jpg)
37
Present delegated assertion to WSP
● Library presents the SAML assertion to the WSP, successfully responding to the authentication request, and finally accessing the originally requested resource.
● Result: an HttpClient instance that will continue setting the appropriate headers and responding to authentication requests by the WSP
![Page 38: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/38.jpg)
38
Configure SP to accept delegation
<PolicyRule type="Delegation" match="oldest"
<del:Delegate>
<saml:NameID>
https://portal.example.org/shibboleth
</saml:NameID>
</del:Delegate>
![Page 39: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/39.jpg)
39
Disclaimer
Quite a bit of detail and formality was just glossed over.
![Page 40: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/40.jpg)
40
Software
![Page 41: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/41.jpg)
41
Shibboleth
● IdP (support for vending the delegated assertions)
● SP (releases initial SAML assertion to portal, support for consuming the delegated assertions)
![Page 42: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/42.jpg)
42
Java Delegation Support Library
● Implements using SAML assertion to interact with IdP to get new delegated SAML assertion
● Implements using delegated SAML assertion to retrieve one or more https:// resources from a backing service
![Page 43: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/43.jpg)
43
uPortal extensions
● Implements support in uPortal for (selectively) making SAML assertion available to portlets so they can successfully use that Java library
![Page 44: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/44.jpg)
44
Example portlet
● Demonstrates using the uPortal extension and the shibboleth-delegation Java library
![Page 45: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/45.jpg)
45
Next Steps
![Page 46: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/46.jpg)
46
Further Test, Use in the Real World
● Needs (more) adopters● Improve documentation● Attendant code maturity issues (this code is
not bad, but it isn't honed through use either)● Iterations and release march
![Page 47: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/47.jpg)
47
Enhance Shibboleth SP
● (This point stolen from Shib SP roadmap discussion, cf. Scott Cantor)
● Move functionality from the Java library into the SP
● Allows maintaining that functionality closer to the rest of the SP code
● Eases implementing delegation support in more languages
![Page 48: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/48.jpg)
48
Improve uPortal-Shib Story?
● uPortal already supports Shibboleth– Authentication
– User attributes
– And with this, delegated authentication
● Needs better documentation (what doesn't?)● Certainly needs better marketing
![Page 49: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/49.jpg)
49
Resources
![Page 50: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/50.jpg)
50
Shib-uPortal Wiki Space
● http://bit.ly/shib_up_wiki
![Page 51: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/51.jpg)
51
Shibboleth IdP and SP modules
![Page 52: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/52.jpg)
52
Java Library
● Implements interaction with IdP to get delegated SAML assertion
● And basic retrieval of a resource via HTTPS using the assertion
https://source.jasig.org/sandbox/delegated-saml-authentication/
![Page 53: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/53.jpg)
53
uPortal extensions
● Bridges from SP into the portal framework● Delivers SAML assertion (selectively) to
portlets as user attribute “samlAssertion”
https://source.jasig.org/sandbox/
ShibbolethuPortalIntegration/
![Page 54: Delegated Authentication with Shibboleth - Internet2](https://reader031.fdocuments.us/reader031/viewer/2022020703/61fb36ac2e268c58cd5b818a/html5/thumbnails/54.jpg)
54
Portlet demonstrating use
http://bit.ly/delegated_shib_demo_portlet
Seems like ridiculously little code(Spring PortletMVC and use of Java
library)
That's kind of the point.