Federated Authentication in a Campus System

1. Federated Authentication in a Campus System Liferay .edu User Group, January 7, 2014 Matthew Hanlon Maytal Dahan

2. Introduction ● Texas Advanced Computing Center (TACC) ○ Advanced computing center with a diverse set of resources - high performance computing, visualization, data centers, cloud computing, etc. ● TACC is part of The University of Texas System ○ 9 universities ○ 6 health institutions ● Our main goal is to maximize productivity and help support educators, scientists and researchers by lowering the barrier of entry into these systems. One way to accomplish that is via federated identities ● Use a single identity to authenticate to authenticate to the user portal to apply for allocations on our resources, manage resource usage, etc.

3. Federated Authentication Allowing users to link a single identity and attributes across several distinct identity management systems. Technologies: • SAML • OAuth • OpenID • also, LDAP, Active Directory

4. Terminology IdP - Identity Provider This is the entity that “provides” the authentication and authorization, and to whom the end user authenticates. SP - Service Provider This is the entity providing a service that the user wants to use, e.g., a Liferay Portal. SAML - Security Assertion Markup Language XML-based open standard data format for exchanging authentication and authorization data between parties

5. 1. The SP detects the user attempting to access restricted content within the resource. 2. The SP generates an authentication request, then sends the request, and the user, to the user's IdP. 3. The IdP authenticates the user, then sends the authentication response, and the user, back to the SP. 4. The SP verifies the IdP's response and sends the request through to the resource which returns the originally requested content. Source: https://wiki.shibboleth.net/confluence/display/SHIB2/NewUnderstandingShibboleth

6. UT System Research Cyberinfrastructure (UTRC) • Project within The University of Texas System • Improve the quality of IT for research for all 15 UT System Institutions • High-speed Networking, including “last mile” • Access to advanced data and storage capability (TACC) • Access to high performance computing (HPC) resources (TACC) • TACC provides access to the Data and HPC resources via the TACC User Portal (TUP) as well as other access methodologies (SSH, FTP, GridFTP, etc.)

7. Hurdles • Onboarding hundreds to thousands of new users who lack experience using HPC resources • Requirement to use campus credentials for login to prevent users from having to create/memorize additional username/password • need to federate authentication to 15 institutions • Must retain current authentication/authorization in TUP for non-UT users • also, existing users may want to enable login using campus credential • Accounting requirements for accessing HPC resources • export control, “countries of concern” • need assurances of compliance

8. UTFed/IdP Proxy Source: https://spaces.internet2. edu/display/GS/SAMLIdPProx y UTFed: https://idm.utsystem.edu/utfed TACC User Portal UT System SP acts as UT System IdP UTFed - UT System Institutions

9. SAML Authentication in Liferay What we didn’t use: Liferay EE SAML Plugin: https://www.liferay.com/marketplace/-/mp/application/15188711 Enables configuring Liferay as an IdP or SP according to the SAML2 spec What we did use: Shibboleth2 with Apache mod_shib Custom AutoLogin hook for SAML login Custom Portlet for inital account creation/linking

10. Installing Shibboleth (on CentOS 6) $> cat /etc/yum.repos.d/security-shibboleth.repo [security_shibboleth] name=Shibboleth (CentOS_CentOS-6) type=rpm-md baseurl=http://download.opensuse.org/repositories/security: /shibboleth/CentOS_CentOS-6/ gpgcheck=1 gpgkey=http://download.opensuse.org/repositories/security: /shibboleth/CentOS_CentOS-6/repodata/repomd.xml.key enabled=1

11. <ApplicationDefaults entityID="https://portal.tacc.utexas.edu/shibboleth" REMOTE_USER="eppn persistent-id targeted-id" attributePrefix="AJP_"> <SSO entityID="https://sso.utrc.utsystem.edu/simplesaml/saml2/idp/metadata.php" discoveryProtocol="SAMLDS"> SAML2 SAML1 </SSO> <MetadataProvider type="XML" reloadInterval="86400" uri="https://sso.utrc.utsystem.edu/simplesaml/saml2/idp/metadata.php"> </MetadataProvider> <MetadataProvider type="XML" uri="https://idm.utsystem.edu/downloads/UTfed-metadata.xml" backingFilePath="UTfed-metadata.xml" reloadInterval="7200"> <MetadataFilter type="Signature" certificate="utfedops-sign.crt"/> </MetadataProvider> </ApplicationDefaults> Shibboleth2 Configuration

12. mod_shib Configuration <Location /utdr> # this is a path that exists in Liferay AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user </Location>

13. portal.properties auto.login.hooks=edu.utexas.tacc.liferay.portal.security.auth.UtdrShibbolethAutoLogin AutoLogin Hook UtdrShibbolethAutoLogin public String[] login(HttpServletRequest request, HttpServletResponse response) throws AutoLoginException { String[] creds = null; String fedId = (String) request.getAttribute("eppn"); Account user = null; try { user = dao.findAccountByFederatedId(fedId); } catch (DaoException e) { ... } // if user found, create and return credential array ... }

14. Portlet The portlet handles three account states: 1. The email attribute for the UTFed user matches an existing TUP user 2. The email attribute for the UTFed user does not match an existing TUP user and: a. the user already has a TUP account b. the user does not have a TUP account In cases 1. and 2a., the user enters the credential for the existing account to link the TUP account with the UTFed identity. In 2b., the user creates a new account, needing to only provide minimal information, since the UTFed identity provides almost all of what we need.

15. What it looks like for users?

16. Duplicate Accounts Users are crafty. :)

17. Questions? Comments? More Information about TACC: http://www.tacc.utexas.edu Matthew Hanlon @mattorantimatt mrhanlon@tacc.utexas.edu Maytal Dahan @maytaldahan maytal@tacc.utexas.edu