More Related Content Similar to Lenya and Shibboleth (20) Lenya and Shibboleth5. Withโฉstandards-basedโฉAAI
AAI
University of Zurich
Web Mail
Course Reg.
E-Learning
University of Berne
Research DB
Library
Student Admin.
Authentication Authorization
5 6. Benefits
โข VirtualizedโฉID:โฉServiceโฉprovidersโฉcanโฉsaveโฉ
registrationโฉandโฉadministrationโฉefforts
โข Standardizedโฉinterfaces:โฉServiceโฉprovidersโฉcanโฉeasilyโฉ
integrateโฉusersโฉofโฉotherโฉorganizations
โข Standardizedโฉauthentication:โฉUsersโฉcanโฉaccessโฉ
variousโฉservicesโฉatโฉdifferentโฉorganizationsโฉwithโฉaโฉ
singleโฉpassword
6 9. SWITCHโฉAAIโฉAttributes
โข swissEduPersonUniqueIDโฉ
โข surnameโฉ
โข givenNameโฉ
โข swissEduPersonDateOfBirthโฉ
โข swissEduPersonGenderโฉ
โข preferredLanguageโฉ
โข mail
โข swissEduPersonHomeOrganizationโฉ
โข swissEduPersonHomeOrganizationType
โข ...
9 11. Browser
SP
WAYF
IdP
Request
Accessing a Service
Redirect to
Protected
WAYF
Page
Show IdP
Selection
Select IdP
Redirect
to IdP
Login
Screen
Username,
Password
Authenti-
cation
Handle
Attribute
Request
Provide
Attributes
Attributes
Granted /
... Denied
11 13. AvailableโฉSoftware
โข ShibbolethโฉProject:
โข ApacheโฉmodulesโฉforโฉSPโฉandโฉIdP
โข JavaโฉSPโฉimplementationโฉ(stalled)
โข NewโฉJavaโฉSPโฉimplementationโฉinโฉprogress:
servletโฉfilterโฉwithinโฉservletโฉ2.4โฉspecification
โข OLAT:
โข CustomโฉSPโฉimpl.โฉbasedโฉonโฉoldโฉShibbolethโฉJavaโฉSP
โข Lenya:
โข Usesโฉ(slightlyโฉmodified)โฉOLATโฉcode
13 15. Browser
Main
Sitemap
WAYF
IdP
Authentication: Phase 1
Request
Protected
Login
Page
Screen
Click link
to WAYF
Show IdP
Selection
Select IdP
Redirect
to IdP
Login
Screen
Username,
Password
Authenti-
cation
Handle
15 16. Authentication:โฉPhaseโฉ2
Browser
Main
Sitemap
Shibboleth
Authenticator
Attr. Request
Service
IdP
Authenti-
cation
Authenticator
Parse SAML
Action
Send attr.
response
request
Provide
attributes
Parse SAML
Create response
transient
user object,
attach it to
the session
16 17. Authentication:โฉClasses
DelegatingAuthenticatorAction
act(...) : Map
<<interface>>
Authenticator
authenticate(Request)
<<interface>>
AttributeRequestService
requestAttributes(BPR) : Map
UserAuthenticator
authenticate(Request) <<interface>>
AttributeTranslator
translateSamlAttributes(Map) : Map
ShibbolethAuthenticator
authenticate(Request)
UserFieldsMapper
passAttributes(TransientUser, Map)
getFirstName()
getLastName()
...
17 21. AbstractGroup.contains()
public boolean contains(Groupable member) {
boolean contains = members.contains(member);
if (!contains && member instanceof User
&& getRule() != null) {
User user = (User) member;
AttributeRuleEvaluator evaluator
= getAttributeRuleEvaluator();
contains = evaluator.isComplied(user, getRule());
}
return contains;
}
21 22. UserโฉAttributes:โฉClasses
<<interface>>
<<interface>>
Group
Groupable
getMembers() : Groupable[]
*
getGroups() : Group[]
contains(Groupable)
<<interface>>
User AbstractGroup
getAttributeNames() : String contains(Groupable)
getAttributeValues(String) : String
<<interface>>
RuleEvaluator
AbstractUser
validate(String) : ValidationResult
setAttributeValues(String, String[]) isComplied(User, String) : boolean
JexlEvaluator AntlrEvaluator
22 24. JEXL
โข AboutโฉJEXL
โข JavaโฉExpressionโฉLanguage
โข ApacheโฉJakartaโฉCommonsโฉproject
โข InspiredโฉbyโฉVelocityโฉandโฉtheโฉJSTLโฉexpr.โฉlanguage
โข Advantages
โข Veryโฉeasyโฉtoโฉintegrateโฉ(onlyโฉaโฉcoupleโฉofโฉlines)
โข Noโฉcustomโฉgrammarโฉnecessary
โข Disadvantages
โข Noโฉspecificโฉruleโฉsyntaxโฉcheck
โข Itโsโฉdifficultโฉtoโฉidentifyโฉdangerousโฉcode
24 25. ANTLR
โข AboutโฉANTLR
โข AnotherโฉToolโฉforโฉLanguageโฉRecognition
โข Frameworkโฉforโฉrecognizers,โฉinterpreters,โฉparsers,โฉ...
โข basedโฉonโฉLL(k)โฉgrammars
โข 3-clauseโฉBSDโฉlicense
โข Advantages
โข Customโฉgrammarโฉforโฉstrictโฉsyntaxโฉcheck
โข Noโฉdangerousโฉcodeโฉaccepted
โข Disadvantages
โข Maintenanceโฉandโฉenhancementsโฉrequireโฉspecificโฉ
knowledge
โข Defaultโฉerrorโฉmessagesโฉareโฉhardโฉtoโฉunderstand
25