Andy Swiffin a.l.swiffin@dundee.ac.uk University of Dundee Terena - - PowerPoint PPT Presentation

Terena EuroCAMP Athens. 13 November, 2008

Andy Swiffin

a.l.swiffin@dundee.ac.uk

University of Dundee

Image courtesy of wikipedia.org

Terena EuroCAMP Athens. 13 November, 2008

From Attributes

To Assertions

Terena EuroCAMP, Athens. 13 November, 2008

What will I be talking about?

• Background:

– Identity management at Dundee – Access management in UK academia

• Dundee deploys Shibboleth:

– Authenticating against eDirectory – Generating and releasing attributes – How did it go?

Terena EuroCAMP, Athens. 13 November, 2008

Terena EuroCAMP, Athens. 13 November, 2008

Dundee University

• Over 18,000 students
• Over 3000 staff
• Strong Identity Management
• File/Print Infrastructure based on

Terena EuroCAMP, Athens. 13 November, 2008

• eDirectory is the enterprise directory
• Zenworks manages the desktop
• Novell Groupwise for campus email
• Novell IDM for directory

synchronisation

Terena EuroCAMP, Athens. 13 November, 2008

But there are other “X500” Directories

• Novell eDirectory
• Microsoft Active

Directory

• SunOne/iPlanet
• OpenLDAP
• IBM Tivoli

(SecureWay)

Terena EuroCAMP, Athens. 13 November, 2008

ALL use LDAP

• It’s a “Standard”

– Isn’t it?

• The nice thing about standards is

that you have so many to choose from (furthermore, if you don’t like any of them

you can just wait for next years model)

– Andrew Stuart Tanenbaum » Computer Networks,

Terena EuroCAMP, Athens. 13 November, 2008

Directory population

• Automatic processes (scripts)

– from Student records (SITS) – From HR

• Usernames

– ALS123 ? – M81V003 ? – MCRALS ? – ALSwiffin

• John Smith gets an extra initial

– JZSmith, JYSmith, JXSmith etc

Terena EuroCAMP, Athens. 13 November, 2008

Novell IDM

• Novell Identity Manager

– (aka DirXML) – Synchronisation between eDirectory trees

• Bidirectional (if you want)

– Also to Groupwise – To Microsoft AD (if we want it)! – Large number of other connectors.

5

Terena EuroCAMP, Athens. 13 November, 2008

Vault Tree Main Dundee Tree IPT Tree LDAP Tree SITS HR Groupwise

Terena EuroCAMP, Athens. 13 November, 2008

Terena EuroCAMP, Athens. 13 November, 2008

Terena EuroCAMP, Athens. 13 November, 2008

Even Applicants get an entry

• As soon as someone applies
• 19,000 per year

– But only ~5000 come

• Huge wastage of usernames

– But disambiguation is not a big problem – John Smith was never going to get JSmith anyway

Terena EuroCAMP, Athens. 13 November, 2008

Leavers accounts retained

• Automatic processes Identify

– Staff leaving – Students completing their course

• The clock starts ticking

– After a month:

• Accounts disabled
• Moved into the holding pen

Terena EuroCAMP, Athens. 13 November, 2008

Active accounts retained

• If an account has been used

– It is retained for 2 years!

• After which it is recycled
• YES! We reuse ePPN!

What?? You mean you expose it!!!

Terena EuroCAMP, Athens. 13 November, 2008

LDAP with everything

• So:

– Dundee is well established in Identity management – Email and login accounts are automatically created – LDAP is used by all applications for authentication

• But what about external resources?

Terena EuroCAMP, Athens. 13 November, 2008

Athens

• An Access Management System for controlling

secure access to web based services.

• Originally created at Bath University
• Adopted by JISC as preferred authentication

mechanism

• Eduserv created in 1999 and ran Athens on

behalf of the academic community

• Usernames and password held by Athens but

administered at a local level

• originally: “a big database table with about 4.5

million rows and 300 columns”

– Athens DA – “Devolved Authentication”

Terena EuroCAMP, Athens. 13 November, 2008

Athens

• 500 HE and FE institutions used

Athens

• 300 licenced resources
• But:

– Athens used proprietary protocols – Mostly only used by UK Academia (and a few others) – So, little international acceptance

10

Terena EuroCAMP, Athens. 13 November, 2008

JISC announcement - 2006

Terena EuroCAMP, Athens. 13 November, 2008

Terena EuroCAMP, Athens. 13 November, 2008

• > 600 UK members (and increasing)
• Uses Shibboleth

– Operates in a similar way to Athens DA – Uses SAML to exchange information – Protects privacy

• Least sensitive attibutes released
• Member, staff, student, medic,
• Shibboleth – growing globally

– USA, France, Switzerland, China, Belgium, Greece, Finland, Australia, Canada, Czech Republic, Netherlands…….

Terena EuroCAMP, Athens. 13 November, 2008

What we intended to do

• JISC had funded

Athens <-> Shibboleth gateways

• Plan to use Shibboleth to access

Athens resources this way.

• January 22nd 2008

– There was a “disagreement”

• Athens access would still be

available – but at a price…..

Terena EuroCAMP, Athens. 13 November, 2008

What we actually did

• Deployed two IdPs
• One Real and one Virtual
• With HAShib and Cisco “content

switching” for automatic failover

Terena EuroCAMP, Athens. 13 November, 2008

What we actually did

• And decided to

stop using Athens entirely and rely on the Federation for authentication

Terena EuroCAMP, Athens. 13 November, 2008

The building blocks

• Linux
• OpenSSl
• Apache
• Mod_proxy_ajp
• Tomcat
• Java
• Shibboleth IdP

Terena EuroCAMP, Athens. 13 November, 2008

The building blocks

• Linux

Novell SLES 10

• OpenSSl

0.9.8g

• Apache 2.2.6
• Mod_proxy_ajp
• Tomcat 5.5.25
• Java jdk1.5.0_14
• Shibboleth IdP

1.3.3

Terena EuroCAMP, Athens. 13 November, 2008

Also available on

• Some experimentation:
• Bare bones XP box +

– Apache 2.2.9

• Includes OpenSSL!

– Tomcat 5.5.26 – JRE 1.5.0.16 – Shib 1.3.3

• INSTALL in 10 Minutes!
• (There is also a windows installer)

15

Terena EuroCAMP, Athens. 13 November, 2008

Authentication

• Shibboleth 1.3 relies on Apache or

Tomcat for authentication

• I decided to use Tomcat

– With Apache you get a popup box – With a Tomcat “Realm” you have a whole page to “brand”

• Shib 2 has the authentication

bundled in

Terena EuroCAMP, Athens. 13 November, 2008

Tomcat Realm

• /usr/local/tomcat/conf/server.xml
• bjectClass: inetOrgPerson; organizationalPerson; Person; ndsLoginProperties; Top;

Terena EuroCAMP, Athens. 13 November, 2008

/usr/local/tomcat/webapps/shibboleth-idp/WEB-INF/web.xml

The login web pages

• bjectClass: inetOrgPerson; organizationalPerson; Person; ndsLoginProperties; Top;

Terena EuroCAMP, Athens. 13 November, 2008

What if I don’t understand it?

• You don’t really need to!

–Just cut and paste!

• Cook books:

– https://mams.melcoe.mq.edu.au/zope/mams/pubs/Installation/Tomcat %20Authentication%20for%20Shibboleth%20IdP – https://spaces.internet2.edu/display/SHIB/IdPUserAuthnConfig

• What you’re actually doing:

– http://www.onjava.com/pub/a/onjava/2001/08/06/webform.html

Terena EuroCAMP, Athens. 13 November, 2008

Other directories?

• Most will work as described
• But AD won’t
• A problem of “Referrals”

– “I don’t have it but I know someone who does”

– http://java.sun.com/products/jndi/tutorial/ldap/referral/jndi.html

• There is a Tomcat “fix”

Terena EuroCAMP, Athens. 13 November, 2008

• http://wiki.apache.org/tomcat/JNDI_HowTo
• http://www.jspwiki.org/wiki/ActiveDirectoryIntegration

Terena EuroCAMP, Athens. 13 November, 2008

Authorisation

• Shibboleth will be asked for some attributes
• Normally the Trinity of:

– eduPersonScopedAffiliation

• Member, Staff, Student @dundee.ac.uk

– eduPersonTargetedId

• <Hash>@dundee,ac,uk
• The same <hash> each time you visit that resource
• A different <hash> for each different resource

– eduPersonEntitlement

• Defined by the Service Provider
• Eg – access to medical resources
• eduPersonPrincipalName
• NOT RELEASED!

20

Terena EuroCAMP, Athens. 13 November, 2008

Attributes: Where are you going to get them from?

• First you need access to your directory
• /usr/local/shibboleth-idp/etc/resolver.xml
• Will work with most directories

– Except AD Search with cn = PRINCIPAL in this LDAP server

Terena EuroCAMP, Athens. 13 November, 2008

For AD:

• https://spaces.internet2.edu/display/SHIB/JNDIDataConnector
• Some people have given up

and used a database!

Restrict the attributes returned The GC: Beware! Referrals fix

Terena EuroCAMP, Athens. 13 November, 2008

Attributes: Are you going to store them?

• Extend the Schema?
• You don’t need to do that

– The information may already be there!

Terena EuroCAMP, Athens. 13 November, 2008

Simple attribute stored:

• Scoped affiliation

Member Staff Member@dundee.ac.uk Staff@dundee.ac.uk

Terena EuroCAMP, Athens. 13 November, 2008

But you may already have the information!

‘workforceID: M81V003’

0 1 2 3 4 5 6 7 8 9 10 11 12 13

workforceidstr=workforceid.get(0) ‘M81V003’

M81V003

Terena EuroCAMP, Athens. 13 November, 2008

Source from multiple directory attributes

ESF M81V003 workforceID: M81V003

Terena EuroCAMP, Athens. 13 November, 2008

Other ways of doing it

• Cf with

https://spaces.internet2.edu/display/SHIB/ScriptletAttributeDefinition

Entitlement is multivalued Use .get(i) to get each value. It returns a String

.contains() tests for an attribute value in a multivalued attribute but you cannot addValue(attribute) as it is not a string

Terena EuroCAMP, Athens. 13 November, 2008

Taken from the documentation:

I don’t think this works!! (at least not as implied)

Terena EuroCAMP, Athens. 13 November, 2008

Using directory placement

Grateful thanks to Mike White of Stirling university for this confirguration snippet

cn=alswiffin,ou=Enabled,ou=Staff

Terena EuroCAMP, Athens. 13 November, 2008

Scriptlet is not the only tool

Grateful thanks to Adrian Barker of UCL for this confirguration snippet

Terena EuroCAMP, Athens. 13 November, 2008

Attribute release Policies

• arp.site.xml
• One for each resource (and a

catchall).

• Fine Granularity

– Which Values of Which Attributes

Terena EuroCAMP, Athens. 13 November, 2008

Keep it Simple

Terena EuroCAMP, Athens. 13 November, 2008

Spot the deliferate mistuak

• When you permit everything else is

denied

Terena EuroCAMP, Athens. 13 November, 2008

All except

• You permit everything except what

you deny

Terena EuroCAMP, Athens. 13 November, 2008

• This rule releases most group values,

but not administrative ones, to service providers from Brown University

Terena EuroCAMP, Athens. 13 November, 2008

ARP constraints

• https://spaces.internet2.edu/display/SHIB/AttributeReleaseRule
• Suppress release based on other

attributes

– User can specify whether information is released – This is held as a directory attribute

Terena EuroCAMP, Athens. 13 November, 2008

Release according to the permitRelease attribute

35

Terena EuroCAMP, Athens. 13 November, 2008

So at Dundee:

• I have mainly used

scriptletAttributeDefinition to infer from existing directory attributes

• Simplest ARP possible

– Protecting privacy – Not releasing unnecessary attributes

• Went fully live 1st August 2008

(Athens no longer Free!)

Terena EuroCAMP, Athens. 13 November, 2008

But some resources are not Federated (yet)

• A lot are
• and

increasing

Terena EuroCAMP, Athens. 13 November, 2008

But some resources are not Federated (yet)

• IP Proxy allows access to the rest
• EZProxy

– Which can be Shibbolised! – Ensures the common login experience

• And is a great tool for testing your

IdP!

Terena EuroCAMP, Athens. 13 November, 2008

And what happened?

• On the 1st August
• We stopped using Athens
• And started using the Federation

(and EZProxy)

• And no-one noticed

Terena EuroCAMP, Athens. 13 November, 2008

Athens usage

Terena EuroCAMP, Athens. 13 November, 2008

Shibboleth Usage

Terena EuroCAMP, Athens. 13 November, 2008

Total users

Terena EuroCAMP, Athens. 13 November, 2008

And where did they go?

Terena EuroCAMP, Athens. 13 November, 2008

What does it look like?

Terena EuroCAMP, Athens. 13 November, 2008

Terena EuroCAMP, Athens. 13 November, 2008

Terena EuroCAMP, Athens. 13 November, 2008

Terena EuroCAMP, Athens. 13 November, 2008

Terena EuroCAMP, Athens. 13 November, 2008

Terena EuroCAMP, Athens. 13 November, 2008

Terena EuroCAMP, Athens. 13 November, 2008

Terena EuroCAMP, Athens. 13 November, 2008

A Wayfless URL

• Click on that to go straight to:

https://geoshibb.edina.ac.uk/Shibboleth.sso/WAYF/ UKFederation? providerId=https://idp.dundee.ac.uk/shibboleth

Terena EuroCAMP, Athens. 13 November, 2008

Terena EuroCAMP, Athens. 13 November, 2008

Terena EuroCAMP, Athens. 13 November, 2008

Where next?

• SSO?

– You’ve got it!

• Internal applications?

“the main selling point of shibboleth for us is it is an invaluable tool in development of internally facing webapps. Deployment of shibboleth is allowing much easier development and deployment of web applications to support users.”

Cal Racey, Newcastle University

• Metalib/Aleph
• Apache: Mod_Shib ?
• SimpleSAMLphp ?

Terena EuroCAMP, Athens. 13 November, 2008

We’re just putting in the plumbing

Image courtesy of wikipedia.org

Terena EuroCAMP, Athens. 13 November, 2008

But without it – you can’t have a bathroom

Terena EuroCAMP, Athens. 13 November, 2008

They didn’t join the federation

Image courtesy of wikipedia.org

Welcome to McShib 13 November, 2008

Questions?