Lets get a federated identity Do you have access to your email? - - PowerPoint PPT Presentation

lets get a federated identity
SMART_READER_LITE
LIVE PREVIEW

Lets get a federated identity Do you have access to your email? - - PowerPoint PPT Presentation

Jan 22, 2023 34 likes •109 views

Lets get a federated identity Do you have access to your email? Youll need a valid email address Intro to Federated Identity Do you have an account from Protect Network or Twitter You can skip ahead! EuroCAMP Training for

slide-1
SLIDE 1

1

Intro to Federated Identity

EuroCAMP Training for APAN32 This work is licensed under a Creative Commons

Attribution‐ShareAlike 3.0 Unported License.

Lets get a federated identity

  • Do you have access to your email?

– You’ll need a valid email address

  • Do you have an account from…

– Protect Network

  • r Twitter

– You can skip ahead!

  • If not lets create a Feide OpenIdP Account?
  • If not, lets create a Feide OpenIdP Account?

– Visit http://openidp.feide.no/

Feide OpenIdP

– Click on “Register a new user account”

Enter your email address

slide-2
SLIDE 2

2

Check your email

  • Fill in:

Complete your registration

– User ID – Given name – Surname – Email (already completed) – New password (and Retype new password) New password (and Retype new password)

Success!

– You now have an account you can use for federated authentication. – The OpenIdP is your Identity Provider.

Lets use our federated identity

  • Visit https://foodl.org/foodle/APAN32‐4e554
slide-3
SLIDE 3

3

Login with your account…

– This is the Feide OpenIdP (but you could use Twitter Protect Network or 445 other sites) Twitter, Protect Network or 445 other sites). – This feature of the Feide OpenIdP tells you about the information you are sending to a service

Consent Screen

the information you are sending to a service.

Now complete the survey…

  • Secret Survey Questions revealed!
  • You can even add a comment (click on the

stack of notes).

  • You visited a Service Provider (SP) – Foodle

What just happened?

– But this service required you to login

  • Then asked to choose a federated account

– You could have selected from a range of accounts

  • Logged in using an Identity Provider (IdP)

Whi h k d h th t d d t il – Which asked whether you wanted your details sent back to Foodle

  • Returned to Foodle to access the survey
slide-4
SLIDE 4

4

  • As a diagram…

What just happened?

  • 1. Access SP (x)
  • 2. Choose IdP (1)
  • 3. Login
  • 4. Consent
  • 5. Access
  • 5. Access
  • WARNING: Technical explanation follows!

  • r skip ahead.

Sh m

Architecture SAML/Shibboleth v2.x

DS r der

HTTP redirect HTTP interaction

Webserver

hibboleth

  • dule

x

User Agent/Browser

Identity Provid

Service Provider

Shibboleth service

14

Identity Provider

Webserver

SAML2.0 profile: Web browser SSO + HTTP POST binding Initial request from UA to document X No active Shibboleth session, UA redirected to DS

Sh m

Architecture SAML/Shibboleth v2.x

DS r der

HTTP redirect HTTP interaction

SP takes back t l

Webserver

hibboleth

  • dule

x

User Agent/Browser

Identity Provid

control

Service Provider

Shibboleth service

15

Identity Provider

Webserver

DS asks UA to choose an IdP (if not already set in cookie) Redirect UA back to SP with selected IdP as parameter.

Sh m

Architecture SAML/Shibboleth v2.x

DS r der

HTTP redirect HTTP interaction

Webserver

hibboleth

  • dule

x

User Agent/Browser

Identity Provid

Service Provider

Shibboleth service

16

Identity Provider

Webserver

SP sends SAML Authentication request to the IdP. IdP prompts the UA for credentials, if necessary. IdP uses backend to verify credentials (LDAP, ADDS, SQL, etc)

slide-5
SLIDE 5

5

Sh m

Architecture SAML/Shibboleth v2.x

DS r der

HTTP redirect HTTP interaction

Webserver

hibboleth

  • dule

x

User Agent/Browser

Identity Provid

SAML response

Service Provider

Shibboleth service

17

Identity Provider

Webserver

The IdP resolves and filters the principal’s attribute information and constructs a SAML assertion. This assertion can optionally be signed and/or encrypted. Next, the IdP POSTs a response to the SP. SAML response

  • Authentication statement
  • Attribute statement

Sh m

Architecture SAML/Shibboleth v2.x

DS r der

HTTP redirect HTTP interaction

Webserver

hibboleth

  • dule

x

User Agent/Browser

Identity Provid

Service Provider

Shibboleth service

18

Identity Provider

Webserver

The Shibboleth service decrypts, verifies and filters the response and gives it to the Shibboleth module (via RPC or TCP). The Shibboleth module or Webserver will authorise the principal.

No callback!

Sh m

Architecture SAML/Shibboleth v2.x

DS r der

HTTP redirect HTTP interaction

Webserver

hibboleth

  • dule

x

User Agent/Browser

Identity Provid

Service Provider 2

Shibboleth service

19

Identity Provider

Webserver

Again, the active sessions with every component will provide the single sign-on experience.

  • Can I use this account for anything else? Yes…

What’s next?

– simpleSAML translation portal

  • http://translation.rnd.feide.no Single sign on!
  • Only allows Feide OpenIdP
  • Portal is used to translate simpleSAML, Foodle and
  • ther tools.

TERENA C f S t – TERENA Conference System

  • http://tnc2011.terena.org/ Click “Sign in” and search

for ‘openidp’ or look in the “Guest providers” tab.

  • But you don’t want all your users to sign up

for a separate account!

slide-6
SLIDE 6

6

  • How big is your problem?

Building your own…

  • Skills required

– More complex than just configuration.

  • Available solutions

– Open Source and Commercial Options

H d I i l t thi ?

  • How do I implement this?
  • How big is your problem?

How big is your problem?

– Use Google to search for:

  • site:auca.kg login or site:your.domain sign‐in

– Adjust your search and look at all the pages that ask for login information. Confusing?

  • Then make a spreadsheet…

p

  • Concentrate on the skills you have or those

t t d l

Skills required…

you want to develop.

  • simpleSAMLphp

– PHP – Multi‐lingual support – Linux Windows or Mac Linux, Windows or Mac

  • Shibboleth

– IdP is Java – Runs within Apache Tomcat

  • Both are free software.
  • For each “product” or website work out:

Available Solutions…

– Programming Language (PHP, Perl, Java) – Webserver (e.g. Apache or Microsoft IIS) – Operating system (Windows, Linux, Mac)

  • Search for plug‐ins or modules

– Support for simpleSAMLphp or Shibboleth might – Support for simpleSAMLphp or Shibboleth might already be included.

  • Can use a combination

– simpleSAMLphp AND Shibboleth are compatible!

slide-7
SLIDE 7

7

  • Self study course to build a federated

i t f i ti

Setup your own environment…

environment for your organisation.

  • We’ll cover:

– Setting up an Identity Provider (eg Feide OpenIdP)

  • Adding modules like Consent

– Protecting a service with Federated Protecting a service with Federated Authentication

Our building blocks…

  • VirtualBox to run your VM, or
  • TATA Instacompute
  • Supplied VM image
  • simpleSAMLphp IdP
  • Shibboleth SP