Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud


Published on

To view a recording of this presentation go to: http://www.acquia.com/resources/acquia-tv/conference/leverage-drupal-shibboleth-and-opensaml-connect-federated-identity-0

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Speaking on a purely personal basis, and not on behalf of any of my affiliations. My views are entirely my own, and I am very thankful for Acquia hosting this forum.
  • Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud

    1. 1. Using Drupal, SAML, and Shibboleth to bring users to the cloud <ul><li>Nate Klingenstein </li></ul><ul><li>[email_address] </li></ul><ul><li>Internet2 / InCommon Federation / Shibboleth Consortium </li></ul><ul><li>Greg Knaddison </li></ul><ul><li>Acquia </li></ul><ul><li>30 November, 2011 </li></ul><ul><li>Acquia Webinar Series </li></ul>
    2. 2. Connecting to the Cloud <ul><li>Two necessary infrastructure components </li></ul><ul><ul><li>A great network connection </li></ul></ul><ul><ul><li>Effective Identity Management </li></ul></ul><ul><li>Two necessary business components </li></ul><ul><ul><li>Software architected to integrate with you </li></ul></ul><ul><ul><li>Excellent, professional service </li></ul></ul>
    3. 3. A Brief History of Identity Management <ul><li>Isolated Accounts </li></ul><ul><li>Centralized User Databases </li></ul><ul><ul><li>LDAP, SQL </li></ul></ul><ul><li>Single Sign-On </li></ul><ul><ul><li>Kerberos, Various others like CAS, PKI? </li></ul></ul><ul><li>Federated Identity </li></ul><ul><ul><li>SAML, OpenID, OAuth, Shibboleth </li></ul></ul>
    4. 4. Federated Identity <ul><li>A generalization of older single sign-on systems </li></ul><ul><ul><li>No tight coupling between identity sources and applications or services </li></ul></ul><ul><ul><li>No presumptions about trust or authority </li></ul></ul>
    5. 5. Federated Identity <ul><li>Identity Providers (IdP) supply user information and authentication service </li></ul><ul><ul><li>Generally as a stand-alone service </li></ul></ul><ul><li>Service Providers (SP) process user information, protect, and supply applications with trusted data </li></ul><ul><ul><li>Generally integrated tightly into the web environment </li></ul></ul>
    6. 6. Federated Identity Benefits <ul><li>Automated provisioning, but deprovisioning requires some thought </li></ul><ul><li>Provides single sign-on for both local and cloud services </li></ul><ul><li>Authoritative attributes provide applications with quality, trusted data </li></ul><ul><li>Applications can be easily shared between many organizations </li></ul>
    7. 8. SAML v2.0 <ul><li>Security Assertion Markup Language </li></ul><ul><li>A set of tokens and a set of protocols used to convey those tokens </li></ul><ul><ul><li>Tokens may be used independently of the protocols </li></ul></ul><ul><li>Standardized in March 2005 </li></ul><ul><ul><li>Ongoing spec development for new features continues, but likely never a new, breaking version </li></ul></ul>
    8. 9. SAML v2.0 Deployment <ul><li>Widespread Commercial Support </li></ul><ul><ul><li>Oracle, Microsoft, Novell, CA, PingIdentity, etc. </li></ul></ul><ul><li>Widespread SaaS Vendor Support </li></ul><ul><ul><li>Google, Microsoft, Salesforce, ADP, etc. </li></ul></ul><ul><li>Excellent free, open source solutions </li></ul><ul><ul><li>Shibboleth, simpleSAMLphp, OpenSSO, etc. </li></ul></ul>
    9. 10. SAML 2.0 IdP Deployment <ul><li>Wide-spread deployment and dominant market share in a variety of verticals </li></ul><ul><ul><li>Education, finance, real estate, justice, defense, conglomerates </li></ul></ul><ul><li>Approximately 4,000 Research and Education Deployments </li></ul><ul><ul><li>~100% coverage in some countries </li></ul></ul><ul><ul><li>10+ million vetted accounts </li></ul></ul>
    10. 11. Shibboleth <ul><li>Project since ~2001, code since ~2003 </li></ul><ul><li>Dominant market share in academia </li></ul><ul><ul><li>Thousands of deployments, millions of users </li></ul></ul><ul><ul><li>Widely used in real estate, justice, and increasingly in financial and corporate verts </li></ul></ul><ul><li>Transitioning from Internet2 project to consortium & new org for sustainability </li></ul>
    11. 12. Shibboleth <ul><li>Free, open-source software </li></ul><ul><li>Small but global development team </li></ul><ul><li>Modified Apache-style licensing; no BSD </li></ul><ul><li>Architected for large-scale multi-lateral identity; easily used for bilateral collaborations too </li></ul><ul><li>Focus on trusted attributes in addition to providing standard single sign-on </li></ul>
    12. 13. Technical Deep Dive Overview <ul><li>Geeking out for a moment – please forgive us… </li></ul><ul><li>Identity Provider (IdP) implementation and deployment </li></ul><ul><li>Service Provider (SP) implementation and deployment </li></ul>
    13. 14. Shibboleth IdP <ul><li>Java webapp to be deployed into a standard servlet container </li></ul><ul><ul><li>Apache Tomcat, JBoss, Jetty, etc. </li></ul></ul><ul><ul><li>Future releases will be distributed with a bundled servlet container; existing packaging will still be available </li></ul></ul>
    14. 15. Shibboleth IdP <ul><li>Highly scalable with a variety of clustering options </li></ul><ul><ul><li>Concurrent login attempts CPU-bound, concurrent sessions RAM-bound </li></ul></ul><ul><ul><li>Scales easily to hundreds of thousands </li></ul></ul><ul><li>Designed to integrate with IdM systems, not replace them </li></ul><ul><ul><li>Authentication and attribute connectors available for common choices; extensible </li></ul></ul>
    15. 16. Shibboleth SP <ul><li>Written in C++ </li></ul><ul><li>In-process module loaded by webserver </li></ul><ul><ul><li>Apache(worker mode preferred) or ISAPI </li></ul></ul><ul><li>Out-of-process daemon </li></ul>
    16. 17. Shibboleth SP <ul><li>No API </li></ul><ul><li>Application integration at 3 points: </li></ul><ul><ul><li>Session Creation/Login (automatically enforced, or application triggered) </li></ul></ul><ul><ul><li>Session Recall/Attributes (environment variables or header variables with IdP info, user attributes) </li></ul></ul><ul><ul><li>Session Destruction/Logout </li></ul></ul>
    17. 18. Shibboleth Trust <ul><li>As promiscuous or as exclusive as you would like </li></ul><ul><ul><li>Federations are communities of providers that act by the same rules, to reduce the handshake problem </li></ul></ul><ul><li>We don’t have much faith in commercial certificates </li></ul><ul><ul><li>Comes from experience </li></ul></ul>
    18. 19. Drupal and Shibboleth <ul><li>Drupal plugin developed by the Hungarian Federation (NIIF) </li></ul><ul><li>Relies on having the Shibboleth SP installed and configured </li></ul><ul><ul><li>We like this: avoids dangers of homemade security software, incorporates new Shibboleth features easily, no lock-in </li></ul></ul>
    19. 20. Drupal and Shibboleth <ul><li>Provides basic login and logout links </li></ul><ul><ul><li>Integrated with both Drupal and Shibboleth, making session management easier </li></ul></ul><ul><li>Maps SAML attributes to Drupal roles </li></ul><ul><li>Since Shibboleth interoperates with many commercial SAML offerings, so too will “Shibbolized Drupal” </li></ul>
    20. 21. Shibboleth, SAML & Acquia Cloud
    21. 22. Example Drupal Deployments <ul><li>Two San Francisco based higher education institutions </li></ul><ul><ul><li>Acquia Commons for faculty, staff, student collaboration </li></ul></ul><ul><ul><li>Second running 21 custom Drupal multi-sites </li></ul></ul><ul><li>Running in Acquia Managed Cloud </li></ul><ul><li>Running SP daemon </li></ul><ul><li>Load balanced with sticky sessions to support Shibboleth </li></ul><ul><ul><li>Could use SP on single web server or shared database storage </li></ul></ul><ul><ul><li>Using sticky sessions improve scalability/reliability </li></ul></ul>
    22. 23. Example Drupal Deployments <ul><li>Benefits </li></ul><ul><ul><li>Centralized auditing of logins </li></ul></ul><ul><ul><li>Provisioning efficiency, de-provisioning completeness </li></ul></ul><ul><li>Gotchas: </li></ul><ul><ul><li>shibauth Drupal module always creates Drupal accounts </li></ul></ul>
    23. 24. My Thanks to Acquia <ul><li>[email_address] </li></ul><ul><li>http://www.internet2.edu/ </li></ul><ul><li>http://www.incommon.org/ </li></ul><ul><li>http://shibboleth.net/ </li></ul>