Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud

Using Drupal, SAML, and Shibboleth to bring users to the cloud
Nate Klingenstein
[email_address]
Internet2 / InCommon Federation / Shibboleth Consortium
Greg Knaddison
Acquia
30 November, 2011
Acquia Webinar Series

Connecting to the Cloud
Two necessary infrastructure components
A great network connection
Effective Identity Management
Two necessary business components
Software architected to integrate with you
Excellent, professional service

A Brief History of Identity Management
Isolated Accounts
Centralized User Databases
LDAP, SQL
Single Sign-On
Kerberos, Various others like CAS, PKI?
Federated Identity
SAML, OpenID, OAuth, Shibboleth

Federated Identity
A generalization of older single sign-on systems
No tight coupling between identity sources and applications or services
No presumptions about trust or authority

Federated Identity
Identity Providers (IdP) supply user information and authentication service
Generally as a stand-alone service
Service Providers (SP) process user information, protect, and supply applications with trusted data
Generally integrated tightly into the web environment

Federated Identity Benefits
Automated provisioning, but deprovisioning requires some thought
Provides single sign-on for both local and cloud services
Authoritative attributes provide applications with quality, trusted data
Applications can be easily shared between many organizations

SAML v2.0
Security Assertion Markup Language
A set of tokens and a set of protocols used to convey those tokens
Tokens may be used independently of the protocols
Standardized in March 2005
Ongoing spec development for new features continues, but likely never a new, breaking version

SAML v2.0 Deployment
Widespread Commercial Support
Oracle, Microsoft, Novell, CA, PingIdentity, etc.
Widespread SaaS Vendor Support
Google, Microsoft, Salesforce, ADP, etc.
Excellent free, open source solutions
Shibboleth, simpleSAMLphp, OpenSSO, etc.

SAML 2.0 IdP Deployment
Wide-spread deployment and dominant market share in a variety of verticals
Education, finance, real estate, justice, defense, conglomerates
Approximately 4,000 Research and Education Deployments
~100% coverage in some countries
10+ million vetted accounts

Shibboleth
Project since ~2001, code since ~2003
Dominant market share in academia
Thousands of deployments, millions of users
Widely used in real estate, justice, and increasingly in financial and corporate verts
Transitioning from Internet2 project to consortium & new org for sustainability

Shibboleth
Free, open-source software
Small but global development team
Modified Apache-style licensing; no BSD
Architected for large-scale multi-lateral identity; easily used for bilateral collaborations too
Focus on trusted attributes in addition to providing standard single sign-on

Technical Deep Dive Overview
Geeking out for a moment – please forgive us…
Identity Provider (IdP) implementation and deployment
Service Provider (SP) implementation and deployment

Shibboleth IdP
Java webapp to be deployed into a standard servlet container
Apache Tomcat, JBoss, Jetty, etc.
Future releases will be distributed with a bundled servlet container; existing packaging will still be available

Shibboleth IdP
Highly scalable with a variety of clustering options
Concurrent login attempts CPU-bound, concurrent sessions RAM-bound
Scales easily to hundreds of thousands
Designed to integrate with IdM systems, not replace them
Authentication and attribute connectors available for common choices; extensible

Shibboleth SP
Written in C++
In-process module loaded by webserver
Apache(worker mode preferred) or ISAPI
Out-of-process daemon

Shibboleth SP
No API
Application integration at 3 points:
Session Creation/Login (automatically enforced, or application triggered)
Session Recall/Attributes (environment variables or header variables with IdP info, user attributes)
Session Destruction/Logout

Shibboleth Trust
As promiscuous or as exclusive as you would like
Federations are communities of providers that act by the same rules, to reduce the handshake problem
We don’t have much faith in commercial certificates
Comes from experience

Drupal and Shibboleth
Drupal plugin developed by the Hungarian Federation (NIIF)
Relies on having the Shibboleth SP installed and configured
We like this: avoids dangers of homemade security software, incorporates new Shibboleth features easily, no lock-in

Drupal and Shibboleth
Provides basic login and logout links
Integrated with both Drupal and Shibboleth, making session management easier
Maps SAML attributes to Drupal roles
Since Shibboleth interoperates with many commercial SAML offerings, so too will “Shibbolized Drupal”

Shibboleth, SAML & Acquia Cloud

Example Drupal Deployments
Two San Francisco based higher education institutions
Acquia Commons for faculty, staff, student collaboration
Second running 21 custom Drupal multi-sites
Running in Acquia Managed Cloud
Running SP daemon
Load balanced with sticky sessions to support Shibboleth
Could use SP on single web server or shared database storage
Using sticky sessions improve scalability/reliability

Example Drupal Deployments
Benefits
Centralized auditing of logins
Provisioning efficiency, de-provisioning completeness
Gotchas:
shibauth Drupal module always creates Drupal accounts

My Thanks to Acquia
[email_address]
http://www.internet2.edu/
http://www.incommon.org/
http://shibboleth.net/

Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud

by Acquia on Dec 01, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud — Presentation Transcript