1. Single-Sign-On with
Lenya and Shibboleth
Jann Forrer, University of Zurich
Andreas Hartmann, BeCompany GmbH
1

2. Agenda
Authentication and authorization infrastructure
Single-Sign-On with Shibboleth
Integration in Apache Lenya
Attribute-based authorization
Attribute rule evaluation options
2

3. Authentication and
Authorization
Infrastructure
3

4. Without AAI
University of Zurich
Web Mail
Course Reg.
E-Learning
University of Berne
Research DB
Library
Student Admin.
Authentication Authorization
4

5. With standards-based AAI
AAI
University of Zurich
Web Mail
Course Reg.
E-Learning
University of Berne
Research DB
Library
Student Admin.
Authentication Authorization
5

6. Benefits
• Virtualized ID: Service providers can save
registration and administration efforts
• Standardized interfaces: Service providers can easily
integrate users of other organizations
• Standardized authentication: Users can access
various services at different organizations with a
single password
6

7. Identity Provider (IdP)
• aka „home organizations“
• Universities, Libraries, Hospitals, ...
• Responsibilities:
• Registering users
• Maintaining user information („attributes“)
• Providing an authentication service
• Providing credentials for authorization decisions
7

8. Service Provider (SP)
• aka „resources“
• provide restricted information / applications
• Benefits:
• No registration authority necessary
• No user management necessary
• User base grows with registered IdPs
• Reliable security mechanism
• Access to standardized attributes for authorization
8

9. SWITCH AAI Attributes
• swissEduPersonUniqueID
• surname
• givenName
• swissEduPersonDateOfBirth
• swissEduPersonGender
• preferredLanguage
• mail
• swissEduPersonHomeOrganization
• swissEduPersonHomeOrganizationType
• ...
9

10. Single-Sign-On
with Shibboleth
10

11. Browser
SP
WAYF
IdP
Request
Accessing a Service
Redirect to
Protected
WAYF
Page
Show IdP
Selection
Select IdP
Redirect
to IdP
Login
Screen
Username,
Password
Authenti-
cation
Handle
Attribute
Request
Provide
Attributes
Attributes
Granted /
... Denied
11

12. The Shibboleth Project
• Internet2: US networking consortium,
led by research and education community
• Middleware Architecture Committee for Education
• PKI
• URN namespace
• course data infrastructure
• ...
• Open Source (Apache License 2.0)
• Standards based: SAML, SSL, LDAP, ...
12

13. Available Software
• Shibboleth Project:
• Apache modules for SP and IdP
• Java SP implementation (stalled)
• New Java SP implementation in progress:
servlet filter within servlet 2.4 specification
• OLAT:
• Custom SP impl. based on old Shibboleth Java SP
• Lenya:
• Uses (slightly modified) OLAT code
13

14. Integration in
Apache Lenya
14

15. Browser
Main
Sitemap
WAYF
IdP
Authentication: Phase 1
Request
Protected
Login
Page
Screen
Click link
to WAYF
Show IdP
Selection
Select IdP
Redirect
to IdP
Login
Screen
Username,
Password
Authenti-
cation
Handle
15

16. Authentication: Phase 2
Browser
Main
Sitemap
Shibboleth
Authenticator
Attr. Request
Service
IdP
Authenti-
cation
Authenticator
Parse SAML
Action
Send attr.
response
request
Provide
attributes
Parse SAML
Create response
transient
user object,
attach it to
the session
16

17. Authentication: Classes
DelegatingAuthenticatorAction
act(...) : Map
<<interface>>
Authenticator
authenticate(Request)
<<interface>>
AttributeRequestService
requestAttributes(BPR) : Map
UserAuthenticator
authenticate(Request) <<interface>>
AttributeTranslator
translateSamlAttributes(Map) : Map
ShibbolethAuthenticator
authenticate(Request)
UserFieldsMapper
passAttributes(TransientUser, Map)
getFirstName()
getLastName()
...
17

18. Attribute-based
Authorization
18

19. User Attributes in Lenya
• Expressions for evaluation, e.g.
• givenName == „John“ && surname == „Doe“
• eduPersonScopedAffiliation == „student“
• Can be obtained from various identity providers, e.g.
• Shibboleth IdP (TransientUser)
• LDAP server (LDAPUser)
19

20. Attribute Evaluation in Lenya
• Interface User provides access to attributes:
User.getAttributeNames() : String[]
User.getAttributeValues(String name): String[]
• Interface Group allows to set rules:
Group.setRule(String)
Group.getRule() : String
• Method AbstractGroup.contains(Groupable)
evaluates the rule using a RuleEvaluator
implementation
20

21. AbstractGroup.contains()
public boolean contains(Groupable member) {
boolean contains = members.contains(member);
if (!contains && member instanceof User
&& getRule() != null) {
User user = (User) member;
AttributeRuleEvaluator evaluator
= getAttributeRuleEvaluator();
contains = evaluator.isComplied(user, getRule());
}
return contains;
}
21

22. User Attributes: Classes
<<interface>>
<<interface>>
Group
Groupable
getMembers() : Groupable[]
*
getGroups() : Group[]
contains(Groupable)
<<interface>>
User AbstractGroup
getAttributeNames() : String contains(Groupable)
getAttributeValues(String) : String
<<interface>>
RuleEvaluator
AbstractUser
validate(String) : ValidationResult
setAttributeValues(String, String[]) isComplied(User, String) : boolean
JexlEvaluator AntlrEvaluator
22

23. Attribute Rule
Evaluation Options
23

24. JEXL
• About JEXL
• Java Expression Language
• Apache Jakarta Commons project
• Inspired by Velocity and the JSTL expr. language
• Advantages
• Very easy to integrate (only a couple of lines)
• No custom grammar necessary
• Disadvantages
• No specific rule syntax check
• It‘s difficult to identify dangerous code
24

25. ANTLR
• About ANTLR
• Another Tool for Language Recognition
• Framework for recognizers, interpreters, parsers, ...
• based on LL(k) grammars
• 3-clause BSD license
• Advantages
• Custom grammar for strict syntax check
• No dangerous code accepted
• Disadvantages
• Maintenance and enhancements require specific
knowledge
• Default error messages are hard to understand
25

26. More Options
• Different language recognizer generators
• JavaCC
• SableCC
• CUP
• Pre-defined rules to select from
• GUI-based rule editing (graphical expression editor)
26

27. Questions and
Discussion
27