Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Single-Sign-On
with

Lenya
and
Shibboleth


           Jann
Forrer,
University
of
Zurich
     
Andreas
Hartmann,
BeCompany...
Agenda


Authentication
and
authorization
infrastructure
Single-Sign-On
with
Shibboleth
Integration
in
Apache
Lenya
Attrib...
Authentication
and

  Authorization

  Infrastructure


                      3
Without
AAI

University of Zurich
                                                  Web Mail

                            ...
With
standards-based
AAI
                                      AAI



  University of Zurich
                             ...
Benefits

• Virtualized
ID:
Service
providers
can
save

  registration
and
administration
efforts
• Standardized
interface...
Identity
Provider
(IdP)

• aka
„home
organizations“
• Universities,
Libraries,
Hospitals,
...
• Responsibilities:
  • Regi...
Service
Provider
(SP)

• aka
„resources“
• provide
restricted
information
/
applications
• Benefits:
  • No
registration
a...
SWITCH
AAI
Attributes

•   swissEduPersonUniqueID

•   surname

•   givenName

•   swissEduPersonDateOfBirth

•   swissEdu...
Single-Sign-On
with
Shibboleth




                  10
Browser




                                                 SP




                                                      ...
The
Shibboleth
Project
• Internet2:
US
networking
consortium,
  led
by
research
and
education
community
• Middleware
Archi...
Available
Software
• Shibboleth
Project:
  • Apache
modules
for
SP
and
IdP
  • Java
SP
implementation
(stalled)
  • New
Ja...
Integration
in
Apache
Lenya




                 14
Browser




                                                    Main
                                                 Site...
Authentication:
Phase
2
Browser



                 Main
              Sitemap




                               Shibbole...
Authentication:
Classes
 DelegatingAuthenticatorAction
act(...) : Map


           <<interface>>
           Authenticator
...
Attribute-based
 Authorization




                  18
User
Attributes
in
Lenya


• Expressions
for
evaluation,
e.g.
  • givenName
==
„John“
&&
surname
==
„Doe“
  • eduPersonSco...
Attribute
Evaluation
in
Lenya

• Interface
User
provides
access
to
attributes:
  User.getAttributeNames() : String[]
  Use...
AbstractGroup.contains()
public boolean contains(Groupable member) {
    boolean contains = members.contains(member);

   ...
User
Attributes:
Classes
                                                      <<interface>>
           <<interface>>
    ...
Attribute
Rule

Evaluation
Options




                     23
JEXL
• About
JEXL
  • Java
Expression
Language
  • Apache
Jakarta
Commons
project
  • Inspired
by
Velocity
and
the
JSTL
ex...
ANTLR
• About
ANTLR
  • Another
Tool
for
Language
Recognition
  • Framework
for
recognizers,
interpreters,
parsers,
...
  ...
More
Options


• Different
language
recognizer
generators
  • JavaCC
  • SableCC
  • CUP
• Pre-defined
rules
to
select
fro...
Questions
and

 Discussion



                 27
Upcoming SlideShare
Loading in …5
×

Lenya and Shibboleth

1,982 views

Published on

Published in: Economy & Finance, Technology
  • Be the first to comment

  • Be the first to like this

Lenya and Shibboleth

  1. 1. Single-Sign-On
with
 Lenya
and
Shibboleth Jann
Forrer,
University
of
Zurich 
Andreas
Hartmann,
BeCompany
GmbH 1
  2. 2. Agenda Authentication
and
authorization
infrastructure Single-Sign-On
with
Shibboleth Integration
in
Apache
Lenya Attribute-based
authorization Attribute
rule
evaluation
options 2
  3. 3. Authentication
and
 Authorization
 Infrastructure 3
  4. 4. Without
AAI University of Zurich Web Mail Course Reg. E-Learning University of Berne Research DB Library Student Admin. Authentication Authorization 4
  5. 5. With
standards-based
AAI AAI University of Zurich Web Mail Course Reg. E-Learning University of Berne Research DB Library Student Admin. Authentication Authorization 5
  6. 6. Benefits • Virtualized
ID:
Service
providers
can
save
 registration
and
administration
efforts • Standardized
interfaces:
Service
providers
can
easily
 integrate
users
of
other
organizations • Standardized
authentication:
Users
can
access
 various
services
at
different
organizations
with
a
 single
password 6
  7. 7. Identity
Provider
(IdP) • aka
„home
organizations“ • Universities,
Libraries,
Hospitals,
... • Responsibilities: • Registering
users • Maintaining
user
information
(„attributes“) • Providing
an
authentication
service • Providing
credentials
for
authorization
decisions 7
  8. 8. Service
Provider
(SP) • aka
„resources“ • provide
restricted
information
/
applications • Benefits: • No
registration
authority
necessary • No
user
management
necessary • User
base
grows
with
registered
IdPs • Reliable
security
mechanism • Access
to
standardized
attributes
for
authorization 8
  9. 9. SWITCH
AAI
Attributes • swissEduPersonUniqueID
 • surname
 • givenName
 • swissEduPersonDateOfBirth
 • swissEduPersonGender
 • preferredLanguage
 • mail • swissEduPersonHomeOrganization
 • swissEduPersonHomeOrganizationType • ... 9
  10. 10. Single-Sign-On with
Shibboleth 10
  11. 11. Browser SP WAYF IdP Request Accessing a Service Redirect to Protected WAYF Page Show IdP Selection Select IdP Redirect to IdP Login Screen Username, Password Authenti- cation Handle Attribute Request Provide Attributes Attributes Granted / ... Denied 11
  12. 12. The
Shibboleth
Project • Internet2:
US
networking
consortium, led
by
research
and
education
community • Middleware
Architecture
Committee
for
Education • PKI • URN
namespace • course
data
infrastructure • ... • Open
Source
(Apache
License
2.0) • Standards
based:
SAML,
SSL,
LDAP,
... 12
  13. 13. Available
Software • Shibboleth
Project: • Apache
modules
for
SP
and
IdP • Java
SP
implementation
(stalled) • New
Java
SP
implementation
in
progress: servlet
filter
within
servlet
2.4
specification • OLAT: • Custom
SP
impl.
based
on
old
Shibboleth
Java
SP • Lenya: • Uses
(slightly
modified)
OLAT
code 13
  14. 14. Integration
in Apache
Lenya 14
  15. 15. Browser Main Sitemap WAYF IdP Authentication: Phase 1 Request Protected Login Page Screen Click link to WAYF Show IdP Selection Select IdP Redirect to IdP Login Screen Username, Password Authenti- cation Handle 15
  16. 16. Authentication:
Phase
2 Browser Main Sitemap Shibboleth Authenticator Attr. Request Service IdP Authenti- cation Authenticator Parse SAML Action Send attr. response request Provide attributes Parse SAML Create response transient user object, attach it to the session 16
  17. 17. Authentication:
Classes DelegatingAuthenticatorAction act(...) : Map <<interface>> Authenticator authenticate(Request) <<interface>> AttributeRequestService requestAttributes(BPR) : Map UserAuthenticator authenticate(Request) <<interface>> AttributeTranslator translateSamlAttributes(Map) : Map ShibbolethAuthenticator authenticate(Request) UserFieldsMapper passAttributes(TransientUser, Map) getFirstName() getLastName() ... 17
  18. 18. Attribute-based Authorization 18
  19. 19. User
Attributes
in
Lenya • Expressions
for
evaluation,
e.g. • givenName
==
„John“
&&
surname
==
„Doe“ • eduPersonScopedAffiliation
==
„student“ • Can
be
obtained
from
various
identity
providers,
e.g. • Shibboleth
IdP
(TransientUser) • LDAP
server
(LDAPUser) 19
  20. 20. Attribute
Evaluation
in
Lenya • Interface
User
provides
access
to
attributes: User.getAttributeNames() : String[] User.getAttributeValues(String name): String[] • Interface
Group
allows
to
set
rules: Group.setRule(String) Group.getRule() : String • Method
AbstractGroup.contains(Groupable)
 evaluates
the
rule
using
a
RuleEvaluator
 implementation 20
  21. 21. AbstractGroup.contains() public boolean contains(Groupable member) { boolean contains = members.contains(member); if (!contains && member instanceof User && getRule() != null) { User user = (User) member; AttributeRuleEvaluator evaluator = getAttributeRuleEvaluator(); contains = evaluator.isComplied(user, getRule()); } return contains; } 21
  22. 22. User
Attributes:
Classes <<interface>> <<interface>> Group Groupable getMembers() : Groupable[] * getGroups() : Group[] contains(Groupable) <<interface>> User AbstractGroup getAttributeNames() : String contains(Groupable) getAttributeValues(String) : String <<interface>> RuleEvaluator AbstractUser validate(String) : ValidationResult setAttributeValues(String, String[]) isComplied(User, String) : boolean JexlEvaluator AntlrEvaluator 22
  23. 23. Attribute
Rule
 Evaluation
Options 23
  24. 24. JEXL • About
JEXL • Java
Expression
Language • Apache
Jakarta
Commons
project • Inspired
by
Velocity
and
the
JSTL
expr.
language • Advantages • Very
easy
to
integrate
(only
a
couple
of
lines) • No
custom
grammar
necessary • Disadvantages • No
specific
rule
syntax
check • It‘s
difficult
to
identify
dangerous
code 24
  25. 25. ANTLR • About
ANTLR • Another
Tool
for
Language
Recognition • Framework
for
recognizers,
interpreters,
parsers,
... • based
on
LL(k)
grammars • 3-clause
BSD
license • Advantages • Custom
grammar
for
strict
syntax
check • No
dangerous
code
accepted • Disadvantages • Maintenance
and
enhancements
require
specific
 knowledge • Default
error
messages
are
hard
to
understand 25
  26. 26. More
Options • Different
language
recognizer
generators • JavaCC • SableCC • CUP • Pre-defined
rules
to
select
from • GUI-based
rule
editing
(graphical
expression
editor) 26
  27. 27. Questions
and
 Discussion 27

×