Gluu Server Technical Overview

November 20, 2014

SAML SupportGluu supports three SAML platforms, each of which serves a different purpose:

Outbound SAMLShibboleth IDP http://shibboleth.net

Inbound SAMLAsimba SAML proxy http://asimba.org

SAML Multiparty Federation ManagementJagger http://jagger.heanet.ie

Outbound SAML is used when you are the IDP, for example when your employees access Gmail or Salesforce.

Shibboleth is the most widely deployed SAML IDP, and offers fine grain control over attribute release policies to partner websites, as well as trust management using multi-party federations.

Shibboleth IDP

Asimba SAML Proxy

If your partners or customers have their own IDPs, and you have many websites, you will need to use a “proxy” so you can send them just one SAML metadata file.

The Asimba SAML proxy, developed in the Netherlands, is extremely stable and provides a central point to manage discovery and attribute mapping.

A multi-party federation enables you to normalize the process for onboarding new federation partners to drive down the cost of SAML integrations.

The Jagger software provides a tool to enable IDP or SP enrollment into the federation, metadata validation, and metadata publication.

Jagger

OAuth2 Support

Gluu supports two profiles of OAuth2: OpenID Connect http://openid.net/connect

User Managed Access (UMA) http://www.gluu.co/uma-wg

Interop 4 Results : http://www.gluu.co/.fm8t

Since 2012, the Gluu Server has offered one of the most comprehensive J2EE OpenID Connect implementations.

UMADefines a profile of OAuth2 to enable centralized management of authorization--to control which people, using which clients, can access which API’s.

Strong Authentication

The Gluu Server supports custom multi-step strong authentication workflows.

Gluu’s open source two-factor mechanism, oxPush,uses mobile push notification to verify control on a mobile device.As part of the NSTIC pilot (http://www.gluu.co/gluu-in-nstic), we plan to introduce another FIDO (client stored biometric) server that is based on the Yubikey FIDO U2F server.Gluu currently has open source scripts to support Duo Security (in fact we use Duo internally), as well as several other commercial two-factor services (i.e. Yubikey, Wikid, Toopher, inWebo, Google).

Using custom authentication scripts, you can also call an anomaly analysis platform (like Guardian Analytics) to detect fraudulent logins.

Likewise, you can use the location and network information available to you to make access policies.

Malicious login detection / geofence

AccessibilityThe Gluu Server can display one or more authentication web pages (i.e. for two step authentications). All pages are customizable. You can provide your own html, css, images, and javascript.

Password storageYou can store passwords anywhere you want, as long as there is an API to validate them. The Gluu Server supports non-password mechanisms to identify a person, so passwords are optional.

If you chose to use the Gluu Server for password storage, both the oxTrust and LDAP logs would record password change events.

SAML ImplementationAudience Restriction, encrypted responses, and targetIDs are all supported.

Assertions are available in the debug logs. Trust is always explicit in the Shibboleth IDP, so no attributes other than a transient id will be released by default.

oxTrust validates SAML SP metadata on import; Asimba validates IDP metadata on startup; Jagger also validates SAML metadata if you are pre-validating the metadata in a federation.

SAML LogoutWith SAML logout, the IDP sends a callback notification to each application serially. This is very fragile, and most IDP operators advise their users to kill the browser.

SAML force session invalidationSAML sessions are stored in memcached. You’d have to write a custom script to lookup the session id, and remove it from memcached. Note: application sessions may persist, so this may not achieve the desired result.

The best way to achieve this result is to implement centralized authorization with more security checks (post-authentication). See this blog: http://www.gluu.co/authz-is-new-authn

OAuth2 LogoutOpenID Connect defines the “Session Management” specification. This mechanism relies on Javascript to detect a logout event in another browser tab. Its fast, but if the tab is not open at the time of logout, the application may not receive the logout notification.

Custom logout scriptsThe Gluu Server enables you to define custom logout scripts. Using this mechanism, you could create send notifications to backend applications. However, if you have a lot of sessions, server side notifications doesn’t scale that well (i.e. Google can’t track server side sessions for everyone logged into Google).

Custom OAuth2 message contentIn OpenID Connect, the IDP can explicitly release attributes to the RP using OpenID Connect scopes (bundles of user claims). Most of the other fields are defined by the standard.

Host Level SecurityYour organization provides the servers and base OS.

LoggingThere are several logs (all of which you can access in realtime): oxAuth, Shibboleth, Asimba provide authentication logs. The Apache and LDAP logs can also be informative.Log4J produces most of the logs (except for LDAP and Apache). So you could probably implement a custom logging format.You could add the geo region to the logs. Our suggestion is to create a different cluster for each region.

Assign policies other than access?The UMA profile of OAuth2 enables you to define “Resource Sets” which reference a groups of URLs. UMA uses OAuth2 scopes to map what central policies are required for access to Resource Sets.Policies may consider user claims, client claims, authentication type, network (ip address), geolocation, time of day, or load balancer request headers. Policies may also call external APIs for fraud detection, or for external policy decision (i.e. XACML)

2FA EnrollmentYou can use the Gluu Server custom authentication scripts for 2FA enrollment. Each authentication mechanism can have its own enrollment process.

Enforce 2FAUsing UMA, you can create a policy that requires a certain authentication level or type. If a user doesn’t have the correct credentials, a 403 is returned with a JSON hint

{ "status": "error", "error": "need_reauthentication", "required_acr": [‘https://example.com/acr/mode/duo’, ’http://example.com/acr/level/10’]}

Note: in this way, you could set different session timeouts, or force a re-authentication.

Pen testing / cryptoSeveral of our customers have done application pen testing on the Gluu Server, and we have been able to remediate all major issues. We encourage you to perform your own penetration testing.We use system SSL libraries. BounceyCastle is the Java crypto provider. You can substitute a different JCE library if you are using a HSM.

WebAll browsers supported… you provide the html, css, images, and javascript.Javascript is required for OpenID Connect session managementWhat gets stored in the browser? See:

http://openid.net/specs/openid-connect-session-1_0.html http://openid.net/specs/openid-connect-core-1_0.html

Session idle

Session timeouts are configurable for SAML and OAuth2. Note: applications may have their own session timeout policies.

Cipher Suites

You can adjust the Apache httpd configuration to your preference. Default configuration can be found on Github GluuFederation

Legal

Gluu, as an organization, doesn’t hold any customer PII.

OperationalGluu does not offer a hosted option.

The Gluu Server is free open source deployed by an organization.

The infrastructure requirements depend on the number of users and how many development environments you want.

Gluu is moving to a Docker based deployment, where each service would run in its own container. This would enable an elastic approach to scaling each of the components.

Operational (continued)Typical Cluster Install: Clustering the Gluu Servers is quite challenging. Currently, the best way to cluster is by contracting Gluu to build them. To perform a base installation of the development and production clusters, figure four weeks. App Integrations: To integrate all your applications, it depends on your applications. Each application needs to be considered on a case-by-case basis, tested, and a cutover planned. Its really important to set the Roadmap now so applications being deployed today will know to require either SAML or OpenID Connect.

Gluu is not a password management system (although you can use the Gluu Server to safely store the password in LDAP)

How we build a new cluster1. A different .deb is required for each environment. For

example: idp-dev-us.example.com, idp-prod-us.example.com

2. It takes about 3 - 4 weeks to build and test each cluster, although we can work in parallel on several environments.

Current: SCIM 1.1 http://simplecloud.info High level user add. API’s protected by UMA.

Deprecated: LDAPLDAP requires a tight bundling with the persistence layer.

Future: SCIM 2.0

User (de)provisioning support

Pre-integrationsAny site that supports SAML or OpenID Connect can typically be integrated with ease.

PricingGluu Server Support http://gluu.org/pricing

Cluster Build-Transfer Service ($30k per cluster + 15% annual support)

Professional Services: Move forward with the base deployment, and engage professional services tactically when you need to get something done. We have integrators around the world ready to help!

Other info about Gluu...

Founded: 2009

Goal: Make the Gluu Server the best free open source access management platform

Gluu History

Gluu TeamCountry Number of Staff Function

United States 2 Business

Ukraine 4 Programming

Bangladesh 5 Support / Operations

Armenia 2 Support / Operations

India 2 System Administration

China 2 C programmers

Bolivia 1 Programmer

Japan 6 Falcon Partners

Gluu Industry Participation

OpenID Connect Foundation UMA Working GroupOpen Interconnect ConsortiumUbuntu Application Security Group

( http://openid.net )

( http://www.gluu.co/uma-wg )

( http://openinterconnect.org )

( http://jasp.io )

Why use free open source ?1. Crowdsourced development and testing results in the

most eyes on the software, and more often than not, the best code.

2. Give back: your contributions to the project will make many organizations on the Internet a little bit safer

3. Customize the code to meet your exact requirements

Thank you!Questions?

Contact Us or Schedule a Meeting!