design and implementation of web forward proxy with
play

Design and Implementation of Web Forward Proxy with Shibboleth - PowerPoint PPT Presentation

Mar 15, 2023 •161 likes •415 views

Design and Implementation of Web Forward Proxy with Shibboleth Authentication Shibboleth Authentication KOMURA Takaaki Kyoto University SANO Hiroaki Kyoto University Library DEMIZU Noritoshi OCTOPATH corporation MAKIMURA Ken OCTOPATH corporation

  1. Design and Implementation of Web Forward Proxy with Shibboleth Authentication Shibboleth Authentication KOMURA Takaaki Kyoto University SANO Hiroaki Kyoto University Library DEMIZU Noritoshi OCTOPATH corporation MAKIMURA Ken OCTOPATH corporation SAINT 2011 WS (MidArch) @ Munich 2011/07/21

  2. Contents Contents • Proposal Overview • Background • Proposal Details • Implementation and Evaluations Implementation and Evaluations 2

  3. Proposal Overview Proposal Overview • Shibboleth Authentication introduced into proxy authentication scheme (Proxy ‐ Auth) p y ( y ) Shibboleth IdP (Identify Provider) (2) Authentication by IdP ( ) (1) Try to access via Proxy y y (3) Access via Proxy (4) Proxy relay request F Forward Proxy d P Web Browser Web Server Shibboleth SP (Service Provider) 3

  4. BACKGROUND 4

  5. Necessity of Proxy and Proxy Auth Necessity of Proxy and Proxy ‐ Auth Th Three reasons • Gateway from private network to the Internet • Rapid incident response • Keep track of access statistics for E ‐ Journal (EJ) sites i – License fee of EJ will be charged for departments depending on the number of downloading papers depending on the number of downloading papers → Forward Proxy for EJ has been installed in our → Forward Proxy for EJ has been installed in our university since 2006 5

  6. Forward Proxy Forward Proxy Web Server Web Server Browser Browser Forward Proxy Forward Proxy http://example.com GET http://example.com/doc GET http://example com/doc GET http://example.com/doc 200 OK 200 OK 6

  7. Authentication to use Forward Proxy Authentication to use Forward Proxy Web Server Web Server Browser Browser Forward Proxy Forward Proxy http://example.com GET http://example.com/doc 407 Proxy Auth Required Proxy Authenticate: Basic Proxy-Authenticate: Basic realm="XXXXXX" GET http://example.com/doc Proxy-Authorization: Basic BASE64ENC== re GET http://example com/doc GET http://example.com/doc epeat 200 OK 200 OK 200 OK 7

  8. Problems of Existing Proxy Auth Problems of Existing Proxy ‐ Auth • BASIC Authentication S C h i i – User ID and password travel in plain text across the network th t k • Digest Authentication – The proxy needs Users’ raw password => Security risk is increased • No method exists to distinguish proxy is real or fake – ID and password might be exploited by fake proxy 8

  9. Purpose and Proposal Purpose and Proposal Purpose • More secure Proxy ‐ Auth for users and administrators • No modification on web browsers – Modifications or plugins are unsuited to practical use Proposal • Shibboleth Authentication capable • Shibboleth Authentication ‐ capable forward proxy 9

  10. PROPOSAL DETAILS 10

  11. Basic Idea Basic Idea IdP Proxy as a SP Web Server (Identity Provider) (Identity Provider) Browser Browser (Service Provider) GET http://example.com/doc http://example.com 302 HTTP redirect Auth Request (ID & password) Auth OK Issue session cookie Set-Cookie: LH741Q… Check session cookie and GET htt :// GET http://example.com/doc l /d relay remaining requests Cookie: LH741Q… repeat GET http://example.com/doc 200 OK 200 OK t 200 OK 11

  12. Session Cookie Restriction Session Cookie Restriction • Browsers send only the cookies which issued by the web server itself y – The proxy must pretend the web server when the cookies issue (Set ‐ Cookie) when the cookies issue (Set Cookie) – The proxy must issue new cookies whenever browser access to new web servers. → Single Sign ‐ On scheme of Shibboleth could avoid bothering for a lot of re ‐ authentications 12

  13. Ordinary Shibboleth Auth Flow Ordinary Shibboleth Auth Flow SP IdP Browser Browser GET http://example com/doc/ GET http://example.com/doc/ POST ID and password SP endpoint POST https://example.com/Shibboleth.sso/SAML2/… POST https //example.com/Shibboleth.sso/SAML2/ Set-Cookie: LH741Q… GET http://example.com/doc/ Cookie: LH741Q… repeat t 13

  14. Proposed Auth Flow Proposed Auth Flow Web Server Browser IdP Forward Proxy P Proxy SP SP module module https://proxy.net http://example.com GET http://example.com/doc/ GET https://proxy.net/Shibboleth.sso/Proxy/… POST https://proxy.net/Shibboleth.sso/SAML2/… GET http://example com/Shibboleth sso/Proxy/ GET http://example.com/Shibboleth.sso/Proxy/… Set-Cookie: LH741Q… GET http://example.com/doc/ Cookie: LH741Q… GET http://example.com/doc/ repe eat 14

  15. The Role of New Endpoints The Role of New Endpoints Web Server Browser IdP Forward Proxy Gather requests to all EJ sites into only one hostname to reduce patterns of SP metadata to reduce patterns of SP metadata. P Proxy SP SP “proxy.net” is registered as the SP in this example. module module https://proxy.net http://example.com GET http://example.com/doc/ GET https://proxy.net/Shibboleth.sso/Proxy/… POST https://proxy.net/Shibboleth.sso/SAML2/… GET http://example com/Shibboleth sso/Proxy/ GET http://example.com/Shibboleth.sso/Proxy/… Set-Cookie: LH741Q… GET http://example.com/doc/ Cookie: LH741Q… GET http://example.com/doc/ repe To cope with session cookie restriction To cope with session cookie restriction eat The forward proxy pretends the web server when session cookies is issued (Set ‐ Cookie) 15

  16. IMPLEMENTATION AND EVALUATIONS 16

  17. Implementation Implementation • Shibboleth auth capable forward proxy (shibproxy) based on ( p y) – Shibboleth SP 2.4.2 • 880 lines modification (diff –u style) 880 lines modification (diff u style) • supports new endpoints – Apache 2.2.17 Apache 2 2 17 • Not modified • mod_proxy for forward ‐ proxy d f f d • mod_rewrite for redirection to the new endpoints 17

  18. Experiments and Results Experiments and Results • Prepare PAC file which directs browser to P PAC fil hi h di t b t – shibproxy for restricted access EJ sites – University’s official anonymous forward proxy for University’s official anonymous forward proxy for other sites PAC: Proxy Auto ‐ Configuration written in JavaScript • Visit several EJ sites by 5 popular browsers Visit several EJ sites by 5 popular browsers – IE8, Safari, Firefox, Opera and Chrome • shibproxy work well – User can access EJ sites through shibproxy User can access EJ sites through shibproxy – Authentication is required only once – Single Sign ‐ On for ordinary SPs work well 18

  19. Some Problems and Solutions Some Problems and Solutions • Third party cookie problems Thi d t ki bl – Some EJ sites use multiple host name e g www example com and portal example com e.g. www.example.com and portal.example.com (sibling servers under example.com ) → Send “Set ‐ Cookie” header with “domain=.exmaple.com” attribute “d i l ” ib • No cookie is sent for some requests – favicon.ico f i i – OpenSearch – pass through the requests whose URL matches regular pass through the requests whose URL matches regular expression (e.g. /favicom₩w*.ico$/ ) 19

  20. Future Work Future Work • Support HTTPS S S – Our proposal can not support HTTPS – Shibproxy can not intercept cookies in HTTPS session → Reverse ‐ Proxy, wildcard certification or modification protocol difi i l • Hybrid Proxy (forward proxy + reverse proxy) – HTTP → forward proxy – HTTPS → reverse proxy – Both can run on one host – Both support Shibboleth SSO authentication 20

  21. Conclusion Conclusion • Shibboleth ‐ capable forward proxy Shibb l th bl f d – We will use the proxy to access to E ‐ Journal sites – The proxy pretends the web server when cookies The proxy pretends the web server when cookies issue • Some problems and solutions Some problems and solutions – Third party cookie → add “domain” attribute – No cookie is sent for some resources No cookie is sent for some resources → pass thorough them specified by REGEXP • Future work – Hybrid forward ‐ reverse proxy for both HTTP and HTTPS 21

  22. HTTPS Through Forward Proxy HTTPS Through Forward Proxy Web Server Web Server Browser Browser Forward Proxy Forward Proxy http://example.com CONNECT example.com:443 SSL encrypted GET http://example.com/doc 200 OK 22

  23. Phantom URL Phantom URL Web Server Browser IdP Forward Proxy P Proxy SP SP module module https://proxy.net http://example.com GET http://example.com/doc/ GET https://proxy.net/Shibboleth.sso/Proxy/… Redirect to Redirect to Phantom URL h phantom URL POST https://proxy.net/Shibboleth.sso/SAML2/… GET http://example com/Shibboleth sso/Proxy/ GET http://example.com/Shibboleth.sso/Proxy/… Set-Cookie: LH741Q… Cookie for the Web Server GET http://example.com/doc/ Cookie: LH741Q… GET http://example.com/doc/ repe eat 23

  24. PROPOSAL OVERVIEW 24

  25. icons icons Origin Server DS DS Proxy Proxy Browser Browser IdP IdP SP SP Cookei: LH741Q… Origin Server IdP DS Proxy Browser 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers forward requests to backends and can transform, handle or block them released under the GPL see http://forge.mysql.com/wiki/MySQL_Proxy

945 views • 27 slides
C# Design Patterns: Proxy APPLYING THE PROXY PATTERN Steve Smith FORCE MULTIPLIER FOR DEV TEAMS

C# Design Patterns: Proxy APPLYING THE PROXY PATTERN Steve Smith FORCE MULTIPLIER FOR DEV TEAMS

C# Design Patterns: Proxy APPLYING THE PROXY PATTERN Steve Smith FORCE MULTIPLIER FOR DEV TEAMS @ardalis | ardalis.com | weeklydevtips.com t h s What problems does proxy solve? Objectives How is the proxy pattern structured? Apply the

779 views • 23 slides
SWEN 383 Software Design Principles & Patterns The Proxy Pattern Basic Proxy * Overview

SWEN 383 Software Design Principles & Patterns The Proxy Pattern Basic Proxy * Overview

SWEN 383 Software Design Principles & Patterns The Proxy Pattern Basic Proxy * Overview Joe and Mary want to sign a contract. Joe is in Canada. Mary is in Argentina. * Overview Joe asks Sandy to be a proxy for Mary. Mary asks Pedro to

467 views • 25 slides
I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing

I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing

I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing Anton Belka, antonbelka@gmail.com GUADEC 2013 The TM Conference GUADEC Proxy editing What is proxy editing? Proxy editing is the ability to

1.75k views • 143 slides
CPS 108, Fall 1999 Program Design and Implementation Software Design and Implementation

CPS 108, Fall 1999 Program Design and Implementation Software Design and Implementation

CPS 108, Fall 1999 Program Design and Implementation Software Design and Implementation Language independent principles of design and programming Object oriented programming and design design heuristics good design helps do away

295 views • 3 slides
Blind Proxy Voting Implementation roles Data flow Keys and hash Frantiek Hakl Key code

Blind Proxy Voting Implementation roles Data flow Keys and hash Frantiek Hakl Key code

Blind Proxy Voting Imple- mentation Frantiek Hakl Requirements Actors and Blind Proxy Voting Implementation roles Data flow Keys and hash Frantiek Hakl Key code example Ballot forms hakl@cs.cas.cz examples Matrix example

406 views • 21 slides
Decision on Proxy Demand Resource Margaret Miller Senior Market Design and Policy Specialist

Decision on Proxy Demand Resource Margaret Miller Senior Market Design and Policy Specialist

Decision on Proxy Demand Resource Margaret Miller Senior Market Design and Policy Specialist Board of Governors Meeting General Session September 10-11, 2009 Why do we need Proxy Demand Resource? ! Moves the ISO closer towards active demand

411 views • 6 slides
Complete+Cycle+for+Design DESIGN FABRICATE 8model 8synthesize IDEA 8mask+production+++

Complete+Cycle+for+Design DESIGN FABRICATE 8model 8synthesize IDEA 8mask+production+++

Implementation+Technologies We+can+implement a+design+with+many+different+ implementation+technologies+8 different+ implementation+technologies+offer+different+ tradeoffs HDL+Synthesis offers+an+easy+way+to+target+a+model+

395 views • 22 slides
Todays AGM Agenda Q&A Proxy 11:20 am 10:30 am 10:40 am Business 10:00 am Review

Todays AGM Agenda Q&A Proxy 11:20 am 10:30 am 10:40 am Business 10:00 am Review

Todays AGM Agenda Q&A Proxy 11:20 am 10:30 am 10:40 am Business 10:00 am Review Welcome 0 Forward-Looking Statements This presentation contains forward -looking statements or forward -looking information within the

434 views • 14 slides
The Design and Implementation of the W arp T ransactional F ilesystem Robert Escriva, Emin Gn

The Design and Implementation of the W arp T ransactional F ilesystem Robert Escriva, Emin Gn

The Design and Implementation of the W arp T ransactional F ilesystem Robert Escriva, Emin Gn Sirer Cornell University Symposium on Networked Systems Design and Implementation March 18, 2016 The Design and Implementation of WTF 1 / 28

443 views • 43 slides
Use of proxy indicators to monitor targets where indicators are currently Tier III : SDG 13

Use of proxy indicators to monitor targets where indicators are currently Tier III : SDG 13

Use of proxy indicators to monitor targets where indicators are currently Tier III : SDG 13 Seventh Meeting of the IAEG-SDGs 10 12 April 2018 Livia Hollins, UNFCCC/UN Climate Paris Agreement: adoption to implementation December 2015 (Paris):

257 views • 10 slides
Web Application Proxy (WAP) Remote Access Gateway Proxy for Web Applications 1 If youre

Web Application Proxy (WAP) Remote Access Gateway Proxy for Web Applications 1 If youre

Web Application Proxy (WAP) Remote Access Gateway Proxy for Web Applications 1 If youre WAPpy and you know it. UAG ? WAP ? eGov ? 2 Topics This Why the County invested in WAP presentation will share: Capabilities

427 views • 20 slides
More Design Patterns Horstmann ch.10.1,10.4 Design patterns Structural design patterns

More Design Patterns Horstmann ch.10.1,10.4 Design patterns Structural design patterns

More Design Patterns Horstmann ch.10.1,10.4 Design patterns Structural design patterns Adapter Composite Decorator Proxy Behavioral design patterns Iterator Observer Strategy Template method

777 views • 16 slides
January 29, 2018 Proxy Statements under Maryland Law 2018 The 2018 proxy season is here.

January 29, 2018 Proxy Statements under Maryland Law 2018 The 2018 proxy season is here.

January 29, 2018 Proxy Statements under Maryland Law 2018 The 2018 proxy season is here. Based on our experience reviewing proxy statements for Maryland public companies, we would like to call your attention to certain matters of Maryland

272 views • 12 slides
Web kuohh Computer Center, CS, NCTU Outline Web hosting Basics Client-Server

Web kuohh Computer Center, CS, NCTU Outline Web hosting Basics Client-Server

Web kuohh Computer Center, CS, NCTU Outline Web hosting Basics Client-Server architecture HTTP protocol Static vs. dynamic pages Virtual hosts Proxy Forward proxy Reverse proxy 2 Computer Center, CS, NCTU

781 views • 34 slides
Entwurfsmuster und Frameworks Proxy Oliver Haase Oliver Haase Emfra Proxy 1/14

Entwurfsmuster und Frameworks Proxy Oliver Haase Oliver Haase Emfra Proxy 1/14

Entwurfsmuster und Frameworks Proxy Oliver Haase Oliver Haase Emfra Proxy 1/14 Description I Classification : Object-based structural pattern Also known as : Surrogate Purpose : Control access to a subject through

435 views • 14 slides
Digital Bridge Governance Principles Transparency: Stakeholders will have Utility: The governance

Digital Bridge Governance Principles Transparency: Stakeholders will have Utility: The governance

Digital Bridge Governance Principles Transparency: Stakeholders will have Utility: The governance body will prioritize visibility into the governance bodys work use of existing information technology and opportunities to provide

444 views • 29 slides
First Quarter Review 29 / January / 2016 Important Information NO OFFER OR SOLICITATION This

First Quarter Review 29 / January / 2016 Important Information NO OFFER OR SOLICITATION This

First Quarter Review 29 / January / 2016 Important Information NO OFFER OR SOLICITATION This communication is not intended to and does not constitute an offer to sell or the solicitation of an offer to subscribe for or buy or an invitation to

465 views • 33 slides
DSHS Grand Rounds . Logistics Registration for free continuing education (CE) hours or

DSHS Grand Rounds . Logistics Registration for free continuing education (CE) hours or

DSHS Grand Rounds . Logistics Registration for free continuing education (CE) hours or certificate of attendance through TRAIN at: https://tx.train.org Streamlined registration for individuals not requesting CE hours or a certificate of attendance

1.09k views • 88 slides
Globus MEDICUS Standards Based Enterprise Architecture for Medical Image Publication, Discovery,

Globus MEDICUS Standards Based Enterprise Architecture for Medical Image Publication, Discovery,

Globus MEDICUS Standards Based Enterprise Architecture for Medical Image Publication, Discovery, and Archiving in HealthGrids Stephan G. Erberich, Ann Chervenak, Robert Schuler, Laura Pearlman, Jonathan C. Silverstein, Carl Kesselman 2

803 views • 37 slides
The National Broadband Plan Challenges and Opportunities for the RLEC Industry June 30, 2010 1

The National Broadband Plan Challenges and Opportunities for the RLEC Industry June 30, 2010 1

The National Broadband Plan Challenges and Opportunities for the RLEC Industry June 30, 2010 1 Agenda Introduction and Overview of the NBP Glenn Brown Rural Alliance Association Panel Bob Gnapp NECA Tom Wacker NTCA Randy

693 views • 33 slides
Health, Consumption, and Inequality Jay H. Hong Josep Pijoan-Mas Jos e V ctor R

Health, Consumption, and Inequality Jay H. Hong Josep Pijoan-Mas Jos e V ctor R

Health, Consumption, and Inequality Jay H. Hong Josep Pijoan-Mas Jos e V ctor R os-Rull SNU CEMFI Penn and UCL ERC/UCL/IFSConference on Savings and Risks: Micro and Macro Perspectives IFS - December 2016 PRELIMINARY

923 views • 51 slides
Brian Robertson, Ph.D. Jason Maurice, Ph.D. Patrick Madden Presentation Contents Survey

Brian Robertson, Ph.D. Jason Maurice, Ph.D. Patrick Madden Presentation Contents Survey

Vermont Division of Health Care Administration 2005 Vermont Household Health Insurance Survey Brian Robertson, Ph.D. Jason Maurice, Ph.D. Patrick Madden Presentation Contents Survey Objectives Survey Methodology Primary Type of

1.13k views • 98 slides
Sub-mW Integrated Power Management Systems for Hearing aids Applications Yanhai Cao 1 , Frdric

Sub-mW Integrated Power Management Systems for Hearing aids Applications Yanhai Cao 1 , Frdric

Sub-mW Integrated Power Management Systems for Hearing aids Applications Yanhai Cao 1 , Frdric Hasbani 1 , Dennis land Larsen 1,2 , Kim Rasmussen 1 1 GN Hearing A/S, Denmark, 2 Technical University of Denmark 1 Modern hearing aids Overview

360 views • 23 slides

More recommend