Design and Implementation of Web Forward Proxy with Shibboleth - - PowerPoint PPT Presentation

design and implementation of web forward proxy with
SMART_READER_LITE
LIVE PREVIEW

Design and Implementation of Web Forward Proxy with Shibboleth - - PowerPoint PPT Presentation

Mar 15, 2023 161 likes •415 views

Design and Implementation of Web Forward Proxy with Shibboleth Authentication Shibboleth Authentication KOMURA Takaaki Kyoto University SANO Hiroaki Kyoto University Library DEMIZU Noritoshi OCTOPATH corporation MAKIMURA Ken OCTOPATH corporation

slide-1
SLIDE 1

Design and Implementation of Web Forward Proxy with Shibboleth Authentication Shibboleth Authentication

KOMURA Takaaki

Kyoto University

SANO Hiroaki

Kyoto University Library

DEMIZU Noritoshi

OCTOPATH corporation

MAKIMURA Ken

OCTOPATH corporation

SAINT 2011 WS (MidArch) @ Munich 2011/07/21

slide-2
SLIDE 2

Contents Contents

  • Proposal Overview
  • Background
  • Proposal Details
  • Implementation and Evaluations

Implementation and Evaluations

2

slide-3
SLIDE 3

Proposal Overview Proposal Overview

  • Shibboleth Authentication introduced into

proxy authentication scheme (Proxy‐Auth) p y ( y )

Shibboleth IdP (Identify Provider) (2) Authentication by IdP (1) Try to access via Proxy F d P (3) Access via Proxy (4) Proxy relay request ( ) y y Web Server Forward Proxy Shibboleth SP (Service Provider) Web Browser

3

slide-4
SLIDE 4

BACKGROUND

4

slide-5
SLIDE 5

Necessity of Proxy and Proxy Auth Necessity of Proxy and Proxy‐Auth

Th Three reasons

  • Gateway from private network to the Internet
  • Rapid incident response
  • Keep track of access statistics for E‐Journal (EJ)

i sites

– License fee of EJ will be charged for departments depending on the number of downloading papers depending on the number of downloading papers

→ Forward Proxy for EJ has been installed in our → Forward Proxy for EJ has been installed in our university since 2006

5

slide-6
SLIDE 6

Forward Proxy Forward Proxy

Forward Proxy Browser Web Server Forward Proxy Browser Web Server http://example.com

GET http://example.com/doc GET http://example com/doc GET http://example.com/doc 200 OK 200 OK

6

slide-7
SLIDE 7

Authentication to use Forward Proxy Authentication to use Forward Proxy

Web Server Forward Proxy Browser Web Server Forward Proxy Browser http://example.com

GET http://example.com/doc 407 Proxy Auth Required Proxy-Authenticate: Basic Proxy Authenticate: Basic realm="XXXXXX" GET http://example com/doc GET http://example.com/doc Proxy-Authorization: Basic BASE64ENC==

re

GET http://example.com/doc 200 OK 200 OK

epeat

200 OK

7

slide-8
SLIDE 8

Problems of Existing Proxy Auth Problems of Existing Proxy‐Auth

S C h i i

  • BASIC Authentication

– User ID and password travel in plain text th t k across the network

  • Digest Authentication

– The proxy needs Users’ raw password => Security risk is increased

  • No method exists to distinguish proxy is real or

fake

– ID and password might be exploited by fake proxy

8

slide-9
SLIDE 9

Purpose and Proposal Purpose and Proposal

Purpose

  • More secure Proxy‐Auth

for users and administrators

  • No modification on web browsers

– Modifications or plugins are unsuited to practical use

Proposal

  • Shibboleth Authentication capable
  • Shibboleth Authentication‐capable

forward proxy

9

slide-10
SLIDE 10

PROPOSAL DETAILS

10

slide-11
SLIDE 11

Basic Idea Basic Idea

Web Server Browser IdP (Identity Provider) Proxy as a SP Browser (Identity Provider) (Service Provider) http://example.com

Auth Request (ID & password) 302 HTTP redirect GET http://example.com/doc

Auth OK Issue session cookie Check session cookie and

GET htt :// l /d Set-Cookie: LH741Q… GET http://example.com/doc 200 OK

relay remaining requests repeat

GET http://example.com/doc Cookie: LH741Q… 200 OK 200 OK

t

11

slide-12
SLIDE 12

Session Cookie Restriction Session Cookie Restriction

  • Browsers send only the cookies which issued

by the web server itself y

– The proxy must pretend the web server when the cookies issue (Set‐Cookie) when the cookies issue (Set Cookie) – The proxy must issue new cookies whenever browser access to new web servers. →Single Sign‐On scheme of Shibboleth could avoid bothering for a lot of re‐authentications

12

slide-13
SLIDE 13

Ordinary Shibboleth Auth Flow Ordinary Shibboleth Auth Flow

SP Browser IdP Browser

GET http://example com/doc/ GET http://example.com/doc/ POST ID and password

SP endpoint

POST https://example.com/Shibboleth.sso/SAML2/… POST https //example.com/Shibboleth.sso/SAML2/ Set-Cookie: LH741Q… GET http://example.com/doc/ Cookie: LH741Q…

repeat

13

t

slide-14
SLIDE 14

Proposed Auth Flow Proposed Auth Flow

Web Server Browser

P SP

Forward Proxy IdP

GET http://example.com/doc/ http://example.com Proxy module SP module https://proxy.net GET https://proxy.net/Shibboleth.sso/Proxy/… POST https://proxy.net/Shibboleth.sso/SAML2/… GET http://example com/Shibboleth sso/Proxy/ GET http://example.com/Shibboleth.sso/Proxy/… Set-Cookie: LH741Q…

repe

GET http://example.com/doc/ Cookie: LH741Q… GET http://example.com/doc/

eat

14

slide-15
SLIDE 15

The Role of New Endpoints Web Server

Browser

P SP

Forward Proxy IdP

The Role of New Endpoints

Gather requests to all EJ sites into only one hostname to reduce patterns of SP metadata

GET http://example.com/doc/ http://example.com Proxy module SP module https://proxy.net

to reduce patterns of SP metadata. “proxy.net” is registered as the SP in this example.

GET https://proxy.net/Shibboleth.sso/Proxy/… POST https://proxy.net/Shibboleth.sso/SAML2/… GET http://example com/Shibboleth sso/Proxy/ GET http://example.com/Shibboleth.sso/Proxy/… Set-Cookie: LH741Q…

repe

GET http://example.com/doc/ GET http://example.com/doc/ Cookie: LH741Q…

To cope with session cookie restriction eat

15

To cope with session cookie restriction The forward proxy pretends the web server when session cookies is issued (Set‐Cookie)

slide-16
SLIDE 16

IMPLEMENTATION AND EVALUATIONS

16

slide-17
SLIDE 17

Implementation Implementation

  • Shibboleth auth capable forward proxy

(shibproxy) based on ( p y)

– Shibboleth SP 2.4.2

  • 880 lines modification (diff –u style)

880 lines modification (diff u style)

  • supports new endpoints

Apache 2 2 17 – Apache 2.2.17

  • Not modified

d f f d

  • mod_proxy for forward‐proxy
  • mod_rewrite for redirection to the new endpoints

17

slide-18
SLIDE 18

Experiments and Results Experiments and Results

P PAC fil hi h di t b t

  • Prepare PAC file which directs browser to

– shibproxy for restricted access EJ sites University’s official anonymous forward proxy for – University’s official anonymous forward proxy for

  • ther sites
  • Visit several EJ sites by 5 popular browsers

PAC: Proxy Auto‐Configuration written in JavaScript

Visit several EJ sites by 5 popular browsers

– IE8, Safari, Firefox, Opera and Chrome

  • shibproxy work well

– User can access EJ sites through shibproxy User can access EJ sites through shibproxy – Authentication is required only once – Single Sign‐On for ordinary SPs work well

18

slide-19
SLIDE 19

Some Problems and Solutions Some Problems and Solutions

Thi d t ki bl

  • Third party cookie problems

– Some EJ sites use multiple host name e g www example com and portal example com e.g. www.example.com and portal.example.com

(sibling servers under example.com)

→Send “Set‐Cookie” header with “d i l ” ib “domain=.exmaple.com” attribute

  • No cookie is sent for some requests

f i i – favicon.ico – OpenSearch pass through the requests whose URL matches regular – pass through the requests whose URL matches regular expression (e.g. /favicom₩w*.ico$/ )

19

slide-20
SLIDE 20

Future Work Future Work

S S

  • Support HTTPS

– Our proposal can not support HTTPS – Shibproxy can not intercept cookies in HTTPS session →Reverse‐Proxy, wildcard certification difi i l

  • r modification protocol
  • Hybrid Proxy (forward proxy + reverse proxy)

– HTTP → forward proxy – HTTPS → reverse proxy – Both can run on one host – Both support Shibboleth SSO authentication

20

slide-21
SLIDE 21

Conclusion Conclusion

Shibb l th bl f d

  • Shibboleth‐capable forward proxy

– We will use the proxy to access to E‐Journal sites The proxy pretends the web server when cookies – The proxy pretends the web server when cookies issue

  • Some problems and solutions

Some problems and solutions

– Third party cookie → add “domain” attribute – No cookie is sent for some resources No cookie is sent for some resources → pass thorough them specified by REGEXP

  • Future work

– Hybrid forward‐reverse proxy for both HTTP and HTTPS

21

slide-22
SLIDE 22

HTTPS Through Forward Proxy HTTPS Through Forward Proxy

Forward Proxy Browser Web Server Forward Proxy Browser Web Server http://example.com

CONNECT example.com:443 GET http://example.com/doc

SSL encrypted

200 OK

22

slide-23
SLIDE 23

Phantom URL Phantom URL

Web Server Browser

P SP

Forward Proxy IdP

GET http://example.com/doc/ http://example.com Proxy module SP module https://proxy.net GET https://proxy.net/Shibboleth.sso/Proxy/…

h Redirect to

POST https://proxy.net/Shibboleth.sso/SAML2/… GET http://example com/Shibboleth sso/Proxy/

Phantom URL Redirect to phantom URL

GET http://example.com/Shibboleth.sso/Proxy/… Set-Cookie: LH741Q…

Cookie for the Web Server repe

GET http://example.com/doc/ Cookie: LH741Q… GET http://example.com/doc/

eat

23

slide-24
SLIDE 24

PROPOSAL OVERVIEW

24

slide-25
SLIDE 25

icons icons

Origin Server DS IdP Proxy Browser SP DS IdP Proxy Browser SP Cookei: LH741Q… Origin Server IdP DS Proxy Browser

25