Lenya and Shibboleth

1,868 views
1,691 views

Published on

Published in: Economy & Finance, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,868
On SlideShare
0
From Embeds
0
Number of Embeds
37
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Lenya and Shibboleth

  1. 1. Single-Sign-On
with
 Lenya
and
Shibboleth Jann
Forrer,
University
of
Zurich 
Andreas
Hartmann,
BeCompany
GmbH 1
  2. 2. Agenda Authentication
and
authorization
infrastructure Single-Sign-On
with
Shibboleth Integration
in
Apache
Lenya Attribute-based
authorization Attribute
rule
evaluation
options 2
  3. 3. Authentication
and
 Authorization
 Infrastructure 3
  4. 4. Without
AAI University of Zurich Web Mail Course Reg. E-Learning University of Berne Research DB Library Student Admin. Authentication Authorization 4
  5. 5. With
standards-based
AAI AAI University of Zurich Web Mail Course Reg. E-Learning University of Berne Research DB Library Student Admin. Authentication Authorization 5
  6. 6. Benefits • Virtualized
ID:
Service
providers
can
save
 registration
and
administration
efforts • Standardized
interfaces:
Service
providers
can
easily
 integrate
users
of
other
organizations • Standardized
authentication:
Users
can
access
 various
services
at
different
organizations
with
a
 single
password 6
  7. 7. Identity
Provider
(IdP) • aka
„home
organizations“ • Universities,
Libraries,
Hospitals,
... • Responsibilities: • Registering
users • Maintaining
user
information
(„attributes“) • Providing
an
authentication
service • Providing
credentials
for
authorization
decisions 7
  8. 8. Service
Provider
(SP) • aka
„resources“ • provide
restricted
information
/
applications • Benefits: • No
registration
authority
necessary • No
user
management
necessary • User
base
grows
with
registered
IdPs • Reliable
security
mechanism • Access
to
standardized
attributes
for
authorization 8
  9. 9. SWITCH
AAI
Attributes • swissEduPersonUniqueID
 • surname
 • givenName
 • swissEduPersonDateOfBirth
 • swissEduPersonGender
 • preferredLanguage
 • mail • swissEduPersonHomeOrganization
 • swissEduPersonHomeOrganizationType • ... 9
  10. 10. Single-Sign-On with
Shibboleth 10
  11. 11. Browser SP WAYF IdP Request Accessing a Service Redirect to Protected WAYF Page Show IdP Selection Select IdP Redirect to IdP Login Screen Username, Password Authenti- cation Handle Attribute Request Provide Attributes Attributes Granted / ... Denied 11
  12. 12. The
Shibboleth
Project • Internet2:
US
networking
consortium, led
by
research
and
education
community • Middleware
Architecture
Committee
for
Education • PKI • URN
namespace • course
data
infrastructure • ... • Open
Source
(Apache
License
2.0) • Standards
based:
SAML,
SSL,
LDAP,
... 12
  13. 13. Available
Software • Shibboleth
Project: • Apache
modules
for
SP
and
IdP • Java
SP
implementation
(stalled) • New
Java
SP
implementation
in
progress: servlet
filter
within
servlet
2.4
specification • OLAT: • Custom
SP
impl.
based
on
old
Shibboleth
Java
SP • Lenya: • Uses
(slightly
modified)
OLAT
code 13
  14. 14. Integration
in Apache
Lenya 14
  15. 15. Browser Main Sitemap WAYF IdP Authentication: Phase 1 Request Protected Login Page Screen Click link to WAYF Show IdP Selection Select IdP Redirect to IdP Login Screen Username, Password Authenti- cation Handle 15
  16. 16. Authentication:
Phase
2 Browser Main Sitemap Shibboleth Authenticator Attr. Request Service IdP Authenti- cation Authenticator Parse SAML Action Send attr. response request Provide attributes Parse SAML Create response transient user object, attach it to the session 16
  17. 17. Authentication:
Classes DelegatingAuthenticatorAction act(...) : Map <<interface>> Authenticator authenticate(Request) <<interface>> AttributeRequestService requestAttributes(BPR) : Map UserAuthenticator authenticate(Request) <<interface>> AttributeTranslator translateSamlAttributes(Map) : Map ShibbolethAuthenticator authenticate(Request) UserFieldsMapper passAttributes(TransientUser, Map) getFirstName() getLastName() ... 17
  18. 18. Attribute-based Authorization 18
  19. 19. User
Attributes
in
Lenya • Expressions
for
evaluation,
e.g. • givenName
==
„John“
&&
surname
==
„Doe“ • eduPersonScopedAffiliation
==
„student“ • Can
be
obtained
from
various
identity
providers,
e.g. • Shibboleth
IdP
(TransientUser) • LDAP
server
(LDAPUser) 19
  20. 20. Attribute
Evaluation
in
Lenya • Interface
User
provides
access
to
attributes: User.getAttributeNames() : String[] User.getAttributeValues(String name): String[] • Interface
Group
allows
to
set
rules: Group.setRule(String) Group.getRule() : String • Method
AbstractGroup.contains(Groupable)
 evaluates
the
rule
using
a
RuleEvaluator
 implementation 20
  21. 21. AbstractGroup.contains() public boolean contains(Groupable member) { boolean contains = members.contains(member); if (!contains && member instanceof User && getRule() != null) { User user = (User) member; AttributeRuleEvaluator evaluator = getAttributeRuleEvaluator(); contains = evaluator.isComplied(user, getRule()); } return contains; } 21
  22. 22. User
Attributes:
Classes <<interface>> <<interface>> Group Groupable getMembers() : Groupable[] * getGroups() : Group[] contains(Groupable) <<interface>> User AbstractGroup getAttributeNames() : String contains(Groupable) getAttributeValues(String) : String <<interface>> RuleEvaluator AbstractUser validate(String) : ValidationResult setAttributeValues(String, String[]) isComplied(User, String) : boolean JexlEvaluator AntlrEvaluator 22
  23. 23. Attribute
Rule
 Evaluation
Options 23
  24. 24. JEXL • About
JEXL • Java
Expression
Language • Apache
Jakarta
Commons
project • Inspired
by
Velocity
and
the
JSTL
expr.
language • Advantages • Very
easy
to
integrate
(only
a
couple
of
lines) • No
custom
grammar
necessary • Disadvantages • No
specific
rule
syntax
check • It‘s
difficult
to
identify
dangerous
code 24
  25. 25. ANTLR • About
ANTLR • Another
Tool
for
Language
Recognition • Framework
for
recognizers,
interpreters,
parsers,
... • based
on
LL(k)
grammars • 3-clause
BSD
license • Advantages • Custom
grammar
for
strict
syntax
check • No
dangerous
code
accepted • Disadvantages • Maintenance
and
enhancements
require
specific
 knowledge • Default
error
messages
are
hard
to
understand 25
  26. 26. More
Options • Different
language
recognizer
generators • JavaCC • SableCC • CUP • Pre-defined
rules
to
select
from • GUI-based
rule
editing
(graphical
expression
editor) 26
  27. 27. Questions
and
 Discussion 27

×