SlideShare a Scribd company logo
1 of 17
Download to read offline
Federated Authentication in a
Campus System
Liferay .edu User Group, January 7, 2014
Matthew Hanlon
Maytal Dahan
Introduction
● Texas Advanced Computing Center (TACC)
○ Advanced computing center with a diverse set of resources - high performance computing,
visualization, data centers, cloud computing, etc.
● TACC is part of The University of Texas System
○ 9 universities
○ 6 health institutions
● Our main goal is to maximize productivity and help support educators, scientists and
researchers by lowering the barrier of entry into these systems. One way to accomplish that is
via federated identities
● Use a single identity to authenticate to authenticate to the user portal to apply for allocations on
our resources, manage resource usage, etc.
Federated Authentication
Allowing users to link a single identity and attributes across several distinct identity management
systems.
Technologies:
• SAML
• OAuth
• OpenID
• also, LDAP, Active Directory
Terminology
IdP - Identity Provider
This is the entity that “provides” the authentication and authorization, and to whom the end user
authenticates.
SP - Service Provider
This is the entity providing a service that the user wants to use, e.g., a Liferay Portal.
SAML - Security Assertion Markup Language
XML-based open standard data format for exchanging authentication and authorization data
between parties
1. The SP detects the user attempting to access restricted content within the resource.
2. The SP generates an authentication request, then sends the request, and the user, to the user's IdP.
3. The IdP authenticates the user, then sends the authentication response, and the user, back to the
SP.
4. The SP verifies the IdP's response and sends the request through to the resource which returns the
originally requested content.
Source: https://wiki.shibboleth.net/confluence/display/SHIB2/NewUnderstandingShibboleth
UT System Research Cyberinfrastructure (UTRC)
• Project within The University of Texas System
• Improve the quality of IT for research for all 15 UT System Institutions
• High-speed Networking, including “last mile”
• Access to advanced data and storage capability (TACC)
• Access to high performance computing (HPC) resources (TACC)
• TACC provides access to the Data and HPC resources via the TACC User Portal (TUP) as well
as other access methodologies (SSH, FTP, GridFTP, etc.)
Hurdles
• Onboarding hundreds to thousands of new users who lack experience using HPC resources
• Requirement to use campus credentials for login to prevent users from having to
create/memorize additional username/password
• need to federate authentication to 15 institutions
• Must retain current authentication/authorization in TUP for non-UT users
• also, existing users may want to enable login using campus credential
• Accounting requirements for accessing HPC resources
• export control, “countries of concern”
• need assurances of compliance
UTFed/IdP Proxy
Source:
https://spaces.internet2.
edu/display/GS/SAMLIdPProx
y
UTFed:
https://idm.utsystem.edu/utfed
TACC User Portal
UT System SP
acts as
UT System IdP
UTFed - UT
System Institutions
SAML Authentication in Liferay
What we didn’t use:
Liferay EE SAML Plugin: https://www.liferay.com/marketplace/-/mp/application/15188711
Enables configuring Liferay as an IdP or SP according to the SAML2 spec
What we did use:
Shibboleth2 with Apache mod_shib
Custom AutoLogin hook for SAML login
Custom Portlet for inital account creation/linking
Installing Shibboleth (on CentOS 6)
$> cat /etc/yum.repos.d/security-shibboleth.repo
[security_shibboleth]
name=Shibboleth (CentOS_CentOS-6)
type=rpm-md
baseurl=http://download.opensuse.org/repositories/security:
/shibboleth/CentOS_CentOS-6/
gpgcheck=1
gpgkey=http://download.opensuse.org/repositories/security:
/shibboleth/CentOS_CentOS-6/repodata/repomd.xml.key
enabled=1
<ApplicationDefaults entityID="https://portal.tacc.utexas.edu/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id"
attributePrefix="AJP_">
<SSO entityID="https://sso.utrc.utsystem.edu/simplesaml/saml2/idp/metadata.php"
discoveryProtocol="SAMLDS">
SAML2 SAML1
</SSO>
<MetadataProvider type="XML" reloadInterval="86400"
uri="https://sso.utrc.utsystem.edu/simplesaml/saml2/idp/metadata.php">
</MetadataProvider>
<MetadataProvider type="XML" uri="https://idm.utsystem.edu/downloads/UTfed-metadata.xml"
backingFilePath="UTfed-metadata.xml" reloadInterval="7200">
<MetadataFilter type="Signature" certificate="utfedops-sign.crt"/>
</MetadataProvider>
</ApplicationDefaults>
Shibboleth2 Configuration
mod_shib Configuration
<Location /utdr> # this is a path that exists in Liferay
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
</Location>
portal.properties
auto.login.hooks=edu.utexas.tacc.liferay.portal.security.auth.UtdrShibbolethAutoLogin
AutoLogin Hook
UtdrShibbolethAutoLogin
public String[] login(HttpServletRequest request, HttpServletResponse response) throws AutoLoginException {
String[] creds = null;
String fedId = (String) request.getAttribute("eppn");
Account user = null;
try {
user = dao.findAccountByFederatedId(fedId);
} catch (DaoException e) { ... }
// if user found, create and return credential array
...
}
Portlet
The portlet handles three account states:
1. The email attribute for the UTFed user matches an existing TUP user
2. The email attribute for the UTFed user does not match an existing TUP user and:
a. the user already has a TUP account
b. the user does not have a TUP account
In cases 1. and 2a., the user enters the credential for the existing account to link the TUP account with
the UTFed identity.
In 2b., the user creates a new account, needing to only provide minimal information, since the UTFed
identity provides almost all of what we need.
What it looks like for users?
Duplicate Accounts
Users are crafty. :)
Questions? Comments?
More Information about TACC:
http://www.tacc.utexas.edu
Matthew Hanlon @mattorantimatt
mrhanlon@tacc.utexas.edu
Maytal Dahan @maytaldahan
maytal@tacc.utexas.edu

More Related Content

Viewers also liked

Liferay UI (R)evolution
Liferay UI (R)evolutionLiferay UI (R)evolution
Liferay UI (R)evolution
Zeno Rocha
 

Viewers also liked (6)

Liferay UI (R)evolution
Liferay UI (R)evolutionLiferay UI (R)evolution
Liferay UI (R)evolution
 
Liferay + Wearables
Liferay + WearablesLiferay + Wearables
Liferay + Wearables
 
Overview of Liferay 7 Technology
Overview of Liferay 7 TechnologyOverview of Liferay 7 Technology
Overview of Liferay 7 Technology
 
EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik Harabi
EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik HarabiEclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik Harabi
EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik Harabi
 
Moved to https://slidr.io/azzazzel/liferay-7-microservices-for-the-enterprise
Moved to https://slidr.io/azzazzel/liferay-7-microservices-for-the-enterpriseMoved to https://slidr.io/azzazzel/liferay-7-microservices-for-the-enterprise
Moved to https://slidr.io/azzazzel/liferay-7-microservices-for-the-enterprise
 
Liferay 7
Liferay 7Liferay 7
Liferay 7
 

Similar to Federated Authentication in a Campus System

Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
Injection techniques conversys
Injection techniques conversysInjection techniques conversys
Injection techniques conversys
Krishnendu Paul
 

Similar to Federated Authentication in a Campus System (20)

Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
 
Apache Eagle in Action
Apache Eagle in ActionApache Eagle in Action
Apache Eagle in Action
 
OpenSocial and Mixi platform
OpenSocial and Mixi platformOpenSocial and Mixi platform
OpenSocial and Mixi platform
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
Security On The Cloud
Security On The CloudSecurity On The Cloud
Security On The Cloud
 
Hyderabad MuleSoft Meetup
Hyderabad MuleSoft MeetupHyderabad MuleSoft Meetup
Hyderabad MuleSoft Meetup
 
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethCANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Facilitating Collaboration with Globus (GlobusWorld Tour - STFC)
Facilitating Collaboration with Globus (GlobusWorld Tour - STFC)Facilitating Collaboration with Globus (GlobusWorld Tour - STFC)
Facilitating Collaboration with Globus (GlobusWorld Tour - STFC)
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
 
ValiditySupSpec
ValiditySupSpecValiditySupSpec
ValiditySupSpec
 
HSPD-12 LACS
HSPD-12 LACSHSPD-12 LACS
HSPD-12 LACS
 
Injection techniques conversys
Injection techniques conversysInjection techniques conversys
Injection techniques conversys
 
McShibboleth Presentation
McShibboleth PresentationMcShibboleth Presentation
McShibboleth Presentation
 
Better Together: JWT and Hashi Vault in Modern Apps
Better Together: JWT and Hashi Vault in Modern AppsBetter Together: JWT and Hashi Vault in Modern Apps
Better Together: JWT and Hashi Vault in Modern Apps
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudKoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
 
Apache Eagle at Hadoop Summit 2016 San Jose
Apache Eagle at Hadoop Summit 2016 San JoseApache Eagle at Hadoop Summit 2016 San Jose
Apache Eagle at Hadoop Summit 2016 San Jose
 
Apache Eagle: Secure Hadoop in Real Time
Apache Eagle: Secure Hadoop in Real TimeApache Eagle: Secure Hadoop in Real Time
Apache Eagle: Secure Hadoop in Real Time
 
Investigation on Revocable Fine-grained Access Control Scheme for Multi-Autho...
Investigation on Revocable Fine-grained Access Control Scheme for Multi-Autho...Investigation on Revocable Fine-grained Access Control Scheme for Multi-Autho...
Investigation on Revocable Fine-grained Access Control Scheme for Multi-Autho...
 

Recently uploaded

AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
Alluxio, Inc.
 

Recently uploaded (20)

A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting software
 
A Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data MigrationA Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data Migration
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024
 
5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand
 
Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdf
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
CompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdfCompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdf
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 

Federated Authentication in a Campus System

  • 1. Federated Authentication in a Campus System Liferay .edu User Group, January 7, 2014 Matthew Hanlon Maytal Dahan
  • 2. Introduction ● Texas Advanced Computing Center (TACC) ○ Advanced computing center with a diverse set of resources - high performance computing, visualization, data centers, cloud computing, etc. ● TACC is part of The University of Texas System ○ 9 universities ○ 6 health institutions ● Our main goal is to maximize productivity and help support educators, scientists and researchers by lowering the barrier of entry into these systems. One way to accomplish that is via federated identities ● Use a single identity to authenticate to authenticate to the user portal to apply for allocations on our resources, manage resource usage, etc.
  • 3. Federated Authentication Allowing users to link a single identity and attributes across several distinct identity management systems. Technologies: • SAML • OAuth • OpenID • also, LDAP, Active Directory
  • 4. Terminology IdP - Identity Provider This is the entity that “provides” the authentication and authorization, and to whom the end user authenticates. SP - Service Provider This is the entity providing a service that the user wants to use, e.g., a Liferay Portal. SAML - Security Assertion Markup Language XML-based open standard data format for exchanging authentication and authorization data between parties
  • 5. 1. The SP detects the user attempting to access restricted content within the resource. 2. The SP generates an authentication request, then sends the request, and the user, to the user's IdP. 3. The IdP authenticates the user, then sends the authentication response, and the user, back to the SP. 4. The SP verifies the IdP's response and sends the request through to the resource which returns the originally requested content. Source: https://wiki.shibboleth.net/confluence/display/SHIB2/NewUnderstandingShibboleth
  • 6. UT System Research Cyberinfrastructure (UTRC) • Project within The University of Texas System • Improve the quality of IT for research for all 15 UT System Institutions • High-speed Networking, including “last mile” • Access to advanced data and storage capability (TACC) • Access to high performance computing (HPC) resources (TACC) • TACC provides access to the Data and HPC resources via the TACC User Portal (TUP) as well as other access methodologies (SSH, FTP, GridFTP, etc.)
  • 7. Hurdles • Onboarding hundreds to thousands of new users who lack experience using HPC resources • Requirement to use campus credentials for login to prevent users from having to create/memorize additional username/password • need to federate authentication to 15 institutions • Must retain current authentication/authorization in TUP for non-UT users • also, existing users may want to enable login using campus credential • Accounting requirements for accessing HPC resources • export control, “countries of concern” • need assurances of compliance
  • 9. SAML Authentication in Liferay What we didn’t use: Liferay EE SAML Plugin: https://www.liferay.com/marketplace/-/mp/application/15188711 Enables configuring Liferay as an IdP or SP according to the SAML2 spec What we did use: Shibboleth2 with Apache mod_shib Custom AutoLogin hook for SAML login Custom Portlet for inital account creation/linking
  • 10. Installing Shibboleth (on CentOS 6) $> cat /etc/yum.repos.d/security-shibboleth.repo [security_shibboleth] name=Shibboleth (CentOS_CentOS-6) type=rpm-md baseurl=http://download.opensuse.org/repositories/security: /shibboleth/CentOS_CentOS-6/ gpgcheck=1 gpgkey=http://download.opensuse.org/repositories/security: /shibboleth/CentOS_CentOS-6/repodata/repomd.xml.key enabled=1
  • 11. <ApplicationDefaults entityID="https://portal.tacc.utexas.edu/shibboleth" REMOTE_USER="eppn persistent-id targeted-id" attributePrefix="AJP_"> <SSO entityID="https://sso.utrc.utsystem.edu/simplesaml/saml2/idp/metadata.php" discoveryProtocol="SAMLDS"> SAML2 SAML1 </SSO> <MetadataProvider type="XML" reloadInterval="86400" uri="https://sso.utrc.utsystem.edu/simplesaml/saml2/idp/metadata.php"> </MetadataProvider> <MetadataProvider type="XML" uri="https://idm.utsystem.edu/downloads/UTfed-metadata.xml" backingFilePath="UTfed-metadata.xml" reloadInterval="7200"> <MetadataFilter type="Signature" certificate="utfedops-sign.crt"/> </MetadataProvider> </ApplicationDefaults> Shibboleth2 Configuration
  • 12. mod_shib Configuration <Location /utdr> # this is a path that exists in Liferay AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user </Location>
  • 13. portal.properties auto.login.hooks=edu.utexas.tacc.liferay.portal.security.auth.UtdrShibbolethAutoLogin AutoLogin Hook UtdrShibbolethAutoLogin public String[] login(HttpServletRequest request, HttpServletResponse response) throws AutoLoginException { String[] creds = null; String fedId = (String) request.getAttribute("eppn"); Account user = null; try { user = dao.findAccountByFederatedId(fedId); } catch (DaoException e) { ... } // if user found, create and return credential array ... }
  • 14. Portlet The portlet handles three account states: 1. The email attribute for the UTFed user matches an existing TUP user 2. The email attribute for the UTFed user does not match an existing TUP user and: a. the user already has a TUP account b. the user does not have a TUP account In cases 1. and 2a., the user enters the credential for the existing account to link the TUP account with the UTFed identity. In 2b., the user creates a new account, needing to only provide minimal information, since the UTFed identity provides almost all of what we need.
  • 15. What it looks like for users?
  • 17. Questions? Comments? More Information about TACC: http://www.tacc.utexas.edu Matthew Hanlon @mattorantimatt mrhanlon@tacc.utexas.edu Maytal Dahan @maytaldahan maytal@tacc.utexas.edu