SSO everywhere Piers Harding 13 th  April, 2010
SSO Everywhere <ul><li>This is an interactive session
It's based on the MoE SSO Pilot experience
We will go through the build process for an IdP
We will integrate as many Services as Possible (Moodle, Mahara, Koha, MediaWiki, Status.Net, Drupal, Google Apps)
You can take this home!
Please ask questions </li></ul>
What kind of SSO? <ul><li>Not just shared credentials – Sign On once, and be automatically signed on everywhere as required
Sharing the necessary user attributes from a central repository </li></ul>
How does it Work? <ul><li>It is Web SSO
It is based on SAML 2.0
It requires a centrally stored session, that each service refers back to </li></ul>
What is SAML 2.0? <ul><li>It is an XML based framework for the description, and secure exchange of assertions for the proo...
What is WEB SSO? <ul><li>Is a standard formula for using browser interaction to establish a users identity (and assertions...
what typical scenarios?
what is the interaction?
and for schools?
Data moves <ul><li>User data flows from the SMS To the User Directory and is then consumed by various services
Now that includes the Identity Provider </li></ul>
The Schema
The User Directory -  Example user dn: cn=John Doe,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: pos...
The User Directory - Mapping to the Schema <ul><li>Username => uid or sAMAccountName
Firstname => givenName
Lastname => sn
Upcoming SlideShare
Loading in …5
×

Sso every where

3,284 views

Published on

Presentation on our approach to SSO (by Piers Harding of Catalyst IT). Includes reference to code download or reference implementations.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,284
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
67
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Sso every where

  1. 1. SSO everywhere Piers Harding 13 th April, 2010
  2. 2. SSO Everywhere <ul><li>This is an interactive session
  3. 3. It's based on the MoE SSO Pilot experience
  4. 4. We will go through the build process for an IdP
  5. 5. We will integrate as many Services as Possible (Moodle, Mahara, Koha, MediaWiki, Status.Net, Drupal, Google Apps)
  6. 6. You can take this home!
  7. 7. Please ask questions </li></ul>
  8. 8. What kind of SSO? <ul><li>Not just shared credentials – Sign On once, and be automatically signed on everywhere as required
  9. 9. Sharing the necessary user attributes from a central repository </li></ul>
  10. 10. How does it Work? <ul><li>It is Web SSO
  11. 11. It is based on SAML 2.0
  12. 12. It requires a centrally stored session, that each service refers back to </li></ul>
  13. 13. What is SAML 2.0? <ul><li>It is an XML based framework for the description, and secure exchange of assertions for the proof of identity, and attributes attached to that identity </li></ul>
  14. 14. What is WEB SSO? <ul><li>Is a standard formula for using browser interaction to establish a users identity (and assertions about that identity) and then to propagate this amongst subsequently accessed services </li></ul>
  15. 15. what typical scenarios?
  16. 16. what is the interaction?
  17. 17. and for schools?
  18. 18. Data moves <ul><li>User data flows from the SMS To the User Directory and is then consumed by various services
  19. 19. Now that includes the Identity Provider </li></ul>
  20. 20. The Schema
  21. 21. The User Directory - Example user dn: cn=John Doe,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount uid: john sn: Doe givenName: John cn: John Doe displayName: John Doe userPassword: password mail: john.doe@example.com postalCode: 31000 l: Toulouse o: Example
  22. 22. The User Directory - Mapping to the Schema <ul><li>Username => uid or sAMAccountName
  23. 23. Firstname => givenName
  24. 24. Lastname => sn
  25. 25. Role => group membership(cn=Staff,ou=Groups) or position (cn=John Doe, ou=Staff)
  26. 26. Email => mail
  27. 27. Organisation => typically defined by the name of the UD connected to </li></ul>
  28. 28. The IdP <ul><li>Apache2
  29. 29. PHP5
  30. 30. Memcached
  31. 31. simpleSAMLphp </li></ul>
  32. 32. IdP Role <ul><li>The IdP acts as a broker
  33. 33. Negotiates authentication with User Directory
  34. 34. Hold contracts with service providers regarding user attributes on offer </li></ul>
  35. 35. SP Role <ul><li>The SP (Service Provider) negotiates access with the IdP on behalf of the service that it is attached to
  36. 36. Holds metadata contract with IdP
  37. 37. Applies filter rules
  38. 38. Passes attributes to attached service </li></ul>
  39. 39. IdP Control <ul><li>Metadata shared with SPs to establish trust relationships
  40. 40. Both IdP and SP can apply filters with respect to users that will be accepted, and attributes that will be shared </li></ul>
  41. 41. Metadata - Example <?xml version=&quot;1.0&quot;?> <EntityDescriptor xmlns=&quot;urn:oasis:names:tc:SAML:2.0:metadata&quot; entityID=&quot;https://idp.local.net/simplesaml/module.php/saml/sp/metadata.php/default-sp&quot;> <SPSSODescriptor xmlns:ds=&quot;http://www.w3.org/2000/09/xmldsig#&quot; protocolSupportEnumeration=&quot;urn:oasis:names:tc:SAML:2.0:protocol&quot;> <KeyDescriptor use=&quot; signing &quot;> <ds:KeyInfo xmlns:ds=&quot;http://www.w3.org/2000/09/xmldsig#&quot;> <ds:X509Data> <ds:X509Certificate> [base64 encoded cert data] </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <KeyDescriptor use=&quot; encryption &quot;> <ds:KeyInfo xmlns:ds=&quot;http://www.w3.org/2000/09/xmldsig#&quot;> <ds:X509Data> <ds:X509Certificate> [base64 encoded cert data] </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <SingleLogoutService Binding=&quot;urn:oasis:names:tc:SAML:2.0:bindings: HTTP-Redirect &quot; Location=&quot; https://idp.local.net/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp &quot;/> <AssertionConsumerService Binding=&quot;urn:oasis:names:tc:SAML:2.0:bindings: HTTP-POST &quot; Location=&quot; https://idp.local.net/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp &quot; index=&quot;0&quot;/> </SPSSODescriptor> <ContactPerson contactType=&quot;technical&quot;> <SurName>Administrator</SurName> <EmailAddress>piers@local.net</EmailAddress> </ContactPerson> </EntityDescriptor>
  42. 42. Filters - Examples <ul><li>These check are used for access to WikiEducator </li></ul># IdP - Limit to a set Attribute list 50 => array('class' => 'core:AttributeLimit', 'mlepUsername', 'mlepEmail', 'mlepLastname', mlepFirstname', 'cn', 'mlepOrganisation' ), # SP – reject with an HTTP '403' Forbidden, unless !student check passes 85 => array('class' => 'authorize:Authorize', 'mlepAffiliation' => '/^(?!(s|S)tudent)/', ),
  43. 43. Live Demonstration <ul><li>VirtualBox image
  44. 44. Runs all demo services fully self contained </li></ul>
  45. 45. IdP Steps <ul><li>Software required
  46. 46. Review config.php
  47. 47. Step through authsources.php
  48. 48. See LDAP admin
  49. 49. See metadata/saml20-*
  50. 50. Launch IdP admin page </li></ul>
  51. 51. SP Steps - Moodle <ul><li>Install auth/saml
  52. 52. Install/configure simplesamlphp for SP
  53. 53. Edit paths in auth/saml/config.php
  54. 54. In Moodle Go to </li><ul><li>Users ->
  55. 55. Manage Authentication ->
  56. 56. SAML Authentication </li></ul><li>Go to $CFG->wwwroot/auth/saml/ </li></ul>
  57. 57. Others? <ul><li>Each service has it's own connector
  58. 58. Each service needs an associated SP </li></ul>
  59. 59. Resources <ul><li>Oasis Org – SAML 2.0 specification http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security#samlv20
  60. 60. In particular the SAML Technical Overview - http://www.oasis-open.org/committees/download.php/11511/sstc-saml-tech-overview-2.0-draft-03.pdf
  61. 61. MLE Reference Group http://groups.google.co.nz/group/mle-reference-group?hl=en-GB
  62. 62. simpleSAMLphp http://git.catalyst.net.nz/gw?p=simplesamlphp.git;a=summary
  63. 63. VirtualBox image + presentation notes + howto http://www.catalyst.net.nz/sso/index.html </li></ul>

×