Sakai Amsterdam 130607


Published on

Guanxi Shibb Kit (GSK) presentation at the Sakai conference, Amsterdam, 2007

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Sakai Amsterdam 130607

  1. 1. Guanxi LUO eHx eI d s Federation With The Guanxi Shibb Kit Sakai Conference, Amsterdam June 13th 2007 Alistair Young Senior Software Engineer Àrd-Innleadair air Bathar-bog UHI@Sabhal Mòr Ostaig
  2. 2. Wear the fox hat?
  3. 3. Guanxi On the menu today LUO “I hope sir is hungry” eHx eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
  4. 4. Guanxi Hors d’oeuvres LUO “who are those strange users in my system?” eHx shibboleth admin eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
  5. 5. Guanxi What is Guanxi? LUO eHx “ scratch my back, I’ll scratch yours” eI d s In the Chinese business world, “Guanxi” is understood as the network of relationships among various parties that cooperate and support one another Guanxi has three main objectives: To implement the Shibboleth 1.2 specification into a WS architecture and within a VLE To extend and develop intra/inter-institutional AA functions To create and use Shibboleth federations
  6. 6. Guanxi The Guanxi Project LUO eHx eI d s UK JISC funded Core Middleware Project Collaboration: UHI Millennium Institute (lead partner) University of Leeds University of Oxford Core Guanxi IdP SP WAYF
  7. 7. Guanxi The Guanxi Project LUO eHx eI d Who is GuanXi? (i.e., who to blame...) s
  8. 8. Guanxi A Wee Bit Of Grammar LUO “To Shibb or not to Shibb, that is the question...” eHx Shakespeare, apparently eI d s Introducing the verb, to shibb To bang one’s head repeatedly against a hard surface To age prematurely To curse PKI To hallucinate and drool for a metadata editor Finally, to let anyone and their dog into your systems!
  9. 9. Guanx Web Service Enabled Service LUO i Provider eHx eI Federation server d s 6 Institutional user@org1 accesses resource at org2 1 SP 2 8 Filter sets up WS-Callback with SP 2 3 Filter redirects to federation WAYF 3 WAYF Filter 9 Webapp 1 User’s SSO authenticates them 4 4 SSO replies to federation SP 5 Resource specific Federation SP requests attributes on 6 modules behalf of filter (A/C) User’s AA sends attributes to org 2 Server 7 federation SP org1 IdP Federation SP invokes WS-Callback to 8 filter which retrieves it’s attribute request data 5 SSO Filter makes access decision based on 9 7 attributes gathered by the federation SP AA Distributed architecture Institutional SAML Server, satellite Guards Can scale SAML servers to balance load
  10. 10. Guanxi Starter LUO eHx eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
  11. 11. Guanxi Identity Provider LUO “I am, therefore my IdP knows about me...” eHx Famous philosopher eI d s It’s the Identity Provider’s job to: Get you authenticated, somehow, anyhow Release attributes about you, affiliation, membership etc. Authentication is out of scope of the Shibboleth profile Do it any way you want! LDAP, JDBC, Secret handshake while standing on one leg with trouser leg rolled up! Attributes can be gathered from multiple stores Get them from eDirectory, Active Directory, VLE Guanxi aggregates and “SAMLises” them Only released subject to Attribute Release Policy (ARP)
  12. 12. Guanxi What is integration? LUO “how many webapps can a web.xml withstand?” eHx 17th century childrens rhyme eI d s IdP can be standalone, linked to backend systems SP oriented. Users authenticate when they access a remote, shibbed resource Confusing if they have already logged in to institutional portal or VLE. Why authenticate twice? Or it can be embedded in an institutional application... ...VLE, Portal, Identity Management System etc. IdP oriented. Users authenticate once, in the VLE and access shibbed resources seamlessly VLE already linked to backend systems Introduces the concept of “logging in to your IdP” Log in first thing, ready to shibb all day
  13. 13. Guanxi Mapping attributes LUO eHx “You’re not putting that in there...” eI our Novell admin d JISC UK federation mandates use of eduPerson s But we don’t have eduPerson support in our eDirectory Our admin jumps up and down when we ask for it “oh yes, you’re asking for it allright”, he shouts! Not to worry. Guanxi IdP will map any attribute to any other An example is Athens “userRole” attribute. We don’t have it in eDirectory either. So we map our users’ LDAP DN to their userRole Bodington uses the Guanxi IdP to map it’s internal membership roles to eduPerson Sakai can now map its User object to eduPerson attributes and release them
  14. 14. Guanxi Sakai + Guanxi LUO eHx A Shibboleth compatible Virtual Learning Environment eI d s Sakai VLE with embedded Guanxi IdP Guanxi SP True SSO Athens Sakai as Gx Shibb Gateway IdP Shibboleth Minimal configuration - self-signed certs are SP auto generated User and Group information exposed as eduPerson attributes by Guanxi Can login to your IdP to create users and manage their access rights
  15. 15. Guanxi Single Sign On LUO “I have too many passwords!” eHx a user eI d s SSO means different things to different people Used to mean Single username/password. Still had to authenticate multiple times Starting to mean just what it says on the tin Login once and middleware takes care of the multiple authentication problem But you need an integrated IdP to get true SSO Shibboleth disappears. Users never see the IdP. All they see is their VLE or Portal login page, once
  16. 16. Guanxi Main course LUO eHx eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
  17. 17. Guanxi Guanxi Shibb Kit (GSK) LUO eHx eI d s Shibboleth is complementary to normal Sakai operation Works with Sakai 2.4+ Self contained in /portal-shibb portal Does not replace any Sakai authentication/authorisation features Shibb portal is a holding area while users are authenticated by their Identity Provider and their attributes retrieved from their Attribute Authority When they pass muster, a Pod is constructed with their SAML attributes and acts as a store for Guanxi UserDirectoryProvider and GroupProvider Pods are persisted so shibb user always “there” in Sakai, subject to SAML attribute lifetimes
  18. 18. Guanxi Promotion to /portal LUO eHx eI d s Once a user has a valid Pod, the Shibb portal “logs them in” to Sakai and redirects them to the main portal The Shibb portal requires the main Sakai to be using the federated versions of the User and Group providers: FilterUserDirectoryProvider FilterGroupProvider Pod acts as a UserDirectoryProvider and GroupProvider, using it’s SAML attributes and their TTLs Once the user is kitted out with a Sakai profile courtesy of the GSK, they are free to wander around Sakai as normal, with their Pod acting as their information provider
  19. 19. Guanxi One stop shibb shop LUO say that when you’re drunk! eHx eI d s /portal-shibb Service Provider Guard Engine IdP WAYF All Shibboleth functionality in one place Enabled/disabled by setting in Shibb portal contains everything Sakai needs to work in a Shibboleth federation Does not require Apache, only a servlet container e.g. Tomcat
  20. 20. Guanxi GSK Architecture LUO eHx Authenticate eI IdP d Attributes s Guard Engine /portal-shibb Remote user PodUserDirectoryProvider PodGroupProvider Browser redirects Guanxi LDAPUserDirectoryProvider LDAPGroupProvider Normal Sakai FilterUserDirectoryProvider FilterGroupProvider /portal worksite tools Normal Sakai User
  21. 21. Guanxi Embedded IdP LUO eHx Attribute queries /portal-shibb/AA IdP eI Auth requests d /portal-shibb/SSO s SakaiCookieHandler SakaiAuthenticator SakaiAttributor mapper SakaiAuthenticator delegates to Sakai authentication system SakaiAttributor uses Sakai for user information SakaiCookieHandler traps authentication requests Only need to login once to access multiple SPs IdP’s mapper changes Sakai attributes to any other attributes
  22. 22. Guanxi Embedded SP LUO eHx Sakai #1 eI d /portal-shibb/gx User requests s Guard /portal-shibb/guard.* Authn Sakai #2 WAYF Attributes WAYF? Authz Engine /portal-shibb/engine.* Fully self contained. Sakai has a Guard and Engine Guard blocks requests to /portal-shibb/gx Guard is a holding pen for users while they are authenticated by their IdP, which could be another Sakai. SAML Engine takes care of all Shibboleth and SAML functionality
  23. 23. Guanxi External SAML Engine LUO eHx eI d s Guanxi SAML Engine Normal Sakai Guard Guard Guard Guard Sakai Sakai Sakai Sakai Rather than each Sakai instance having its own SAML Engine with its maintenance and configuration overhead Central SAML Engine, hosted by sakaiproject Each Sakai Guard configured to talk to Engine Sakai instances do not need to know about SAML or Shibboleth
  24. 24. Guanxi Pudding - indigestion LUO eHx eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
  25. 25. Guanxi In the pipeline LUO eHx eI d s Shibboleth tool to provide configuration GUI Expose individual Sakai tools as Shibboleth Service Providers Allow tools to specify which attributes they require for access Enhance the Sakai providers to allow proper internal federation Each UDP knows which users belong to it No need to search the chain of providers
  26. 26. Guanxi Chucking out time LUO one more waffer theen meent, sir? eHx eI d s Guanxi project website - GSK documentation - Sakai_Guanxi_Shibb_Kit The GSK is in contrib Guanxi mailing list - Email -