AAI with simpleSAMLphp Marina Vermezović Academic Network of Serbia -AMRES EIFL, 15.12.2011

AAI with simpleSAMLphp

Marina VermezovićAcademic Network of Serbia -AMRES

EIFL, 15.12.2011.

Content

AAI and Federated Identity

simpleSAMLphp

Federation structures

AMRES AAI deployment

Akademska mreža Srbijewww.amres.ac.rs

2

Let’s make a start point

If you want to:

You need to:

How do you do this:


3


If you want to: offer web services – e-books, e-magazines

You need to:

How do you do this:


4



You need to:Control access to those web services Make services user personalized

How do you do this:


5



You need to:Control access to those web services Make services user personalized

How do you do this:Authentication - who is your user? Authorization - what she can do?AAI - Authentication and authorization infrastructure makes access to protected services easier


6

Without AAI


wireless

Faculty A

Service Providers

Library B

Service Providers

videoconference

e-learning

Student portal

wireless

e-books

7

Without AAI


wireless

Faculty A

Service Providers

Library B

Service Providers

Auth

videoconference

e-learning

Student portal

wireless

e-books

8

Without AAI


wireless

Faculty A

Service Providers

Library B

Service Providers

Auth Autz

videoconference

e-learning

Student portal

wireless

e-books

9

Without AAI


wireless

Faculty A

Service Providers

Library B

Service Providers

Auth Autz

videoconferenceAuth Autz

e-learning

Student portal

wireless

e-books

10

Without AAI


wireless

Faculty A

Service Providers

Library B

Service Providers

Auth Autz

videoconferenceAuth Autz

e-learningAuth Autz

Student portalAuth Autz

wirelessAuth Autz

e-booksAuth Autz

11

With AAI


Faculty A

wireless

Service Providers

videoconference

e-learning

Student portal

Library

wireless

Service Providers

e-books

With AAI


Faculty A

Identity Management

wireless

Identity provider

Service Providers

videoconference

e-learning

Student portal

Library

wireless

Service Providers

e-books

With AAI


Faculty A

Identity Management

wireless

Identity provider

Service Providers

videoconference

e-learning

Student portal

Auth

Library

wireless

Service Providers

e-books

With AAI


Faculty A

Identity Management

wireless

Identity provider

Service Providers

videoconference

e-learning

Student portal

Auth

Library

wireless

Service Providers

e-books

With AAI


Faculty A

Identity Management

wireless

Identity provider

Service Providers

videoconference

e-learning

Student portal

Auth

Library

wireless

Service Providers

e-books

AutzAutz

AutzAutz

AutzAutz

AutzAutz

AutzAutz

AutzAutz

AAI Architecture and Roles


Identity Provider

Service Provider

Federation operator



Identity Provider

Service Provider

Federation operator

• Identity Management• Authentication• Release of user

Attributes• Preserving user privacy



Identity Provider

Service Provider

Federation operator



• Controls Access to resource

• Authorization• Personalized user

service



Identity Provider

Service Provider

Federation operator

• Defines technologies used• Admits IdPs and SPs to federation –provides

metadata• Can provide some of federation services

centrally:• Discovery Service• Metadata management• SSO, SLO, consent, Attribute Handling





service



Identity Provider

Service Provider

Federation operator

CIRCLE OF TRUST

• Defines technologies used• Admits IdPs and SPs to federation –provides

metadata• Can provide some of federation services

centrally:• Discovery Service• Metadata management• SSO, SLO, consent, Attribute Handling





service

Decide for technology and software

De-facto standard in Academic identity federations: SAMLSoftware:

ShibbolethCreated by Internet2 (U.S.)IdP: Java, needs TomcatSP: C++, Apache module

SimpleSAMLphpCreated by UNINETT (Norway)Both IdP and SP, written in PHP


22

SimpleSAMLphp

What are key-point simpleSAMLphp functionalities ?

Let’s see what simpleSAMLphp can do from an example of user accessing web service..


23

SP point of view.. – protect Access

Allows access to resource only to legitimate users


24

SP point of view.. – IdP Discovery

Before redirecting user to its IdP, SP needs to discover what is a user’s IdPWith simpleSAMLphp you can:

Implement centralized discovery service by Federation Operator


25

SP point of view.. – IdP Discovery

Before redirecting user to its IdP, SP needs to discover what is a user’s IdPWith simpleSAMLphp you can:

Implement centralized discovery service by Federation Operator Implement built-in discovery service on SP side; works by displaying IdP entries from metadata


26

Idp point of view.. - Authentication

User is redirected to IdP site, where she is asked to enter u/pThus process of authentication is started


27

Idp point of view.. - Authentication

When IdP gets u/p, IdP must authenticate user against some database

Authentication methods that come with simpleSAMLphp distribution:

LDAPSQLRADIUSList of username/password Open ID, Facebook, Tweeter, MySpace, LinkedIn,..…

If you don’t find your authentication source on the list, you can make custom authentication module


28


Idp point of view.. - Identity Management

Regardless in which database user Identities are stored, it is important that data about user is correct

IdM : set of procedures and rules which define:1. Who has the right to own digital identity2. When is digital identity assigned to a person3. How is digital identity maintained4. How is the digital identity used5. How is the digital identity terminated

Must comply with national personal data protection lawEU Data Protection Directive 29

Idp point of view.. - Attribute Release

After user is authenticated, IdP can release some attributes about user to SP

But some principles are important !

General rules: release only attributes which SP really needsrelease attributes upon pre-agreed syntax (schemas)

With simpleSAMLphp, IdP can :• Filter out a subset of available attributes that are sent

to a SP• Modify name or values of attributes• Add new attributes• Generate new attributes that are composed of others


30

Idp point of view.. - Consent

Before Attribute Release, IdP can ask user about consent for releasing user ‘s data

This is very important from the perspective of national and international laws about protection of users data

EU Data Protection Directive: Consent—data should not be disclosed without the data subject’s consent;


31

Idp point of view.. - Consent


32

Consent module is available in simpleSAMLphp

SP point of view .. - Attribute processing

Attributes help SP to:

Make authorization decisionsStudents/employees have different permissions


33




Make personalized services to usersSP needs persistent user Id so he can save users preferences


34




Make personalized services to usersSP needs persistent user Id so he can save users preferences

User gets some additional serviceSP needs users e-mail address to send e-mail notifications


35

Decide for Federation architecture

3 possibilities:Full meshCentralizedHub and spoke

Choosing one is very important because it heavily depends on state institutions are in..


36

Institution BInstitution A

Full mesh

37

Identity Provider

Service Provider

Federation operator

Discovery service

Federation

metadata

SSO,SLO

Consent Discove

ry Service

Identity Management

Atr. Filt.

Auth

Autz


Full mesh

Akademska mreža Srbijewww.amres.ac.rs 38

Identity Provider

Service Provider

Federation operator

Discovery service

Federation

metadata

SSO,SLO

Consent Discove

ry Service

Identity Management

Atr. Filt.

Auth

Autz

Institution C

Identity Provider

SSO,SLO

Consent

Identity Management

Atr. Filt.

Auth

Institution D

Service Provider

Discovery

ServiceAutz


Hub and spoke

39

Identity Provider

Service ProviderFederation operator

Discovery service

Federation metadata

Discovery

ServiceIdentity Management

Auth

Autz

SSO,SLO

Consent

Atr. Filt.


Hub and spoke

40

Identity Provider

Service ProviderFederation operator

Discovery service

Federation metadata

Discovery

ServiceIdentity Management

Auth

Autz

Institution D

Service Provider

Discovery

ServiceAutzSSO,SL

O

Consent

Atr. Filt.

Institution C

Identity Provider

Identity Management

Auth

Federation operator

Institution B Institution A

Centralized


41

Identity Provider

Service Provider

Discovery service

Federation metadata

SSO,SLO

Consent

Discovery

ServiceIdentity

Management

Atr. Filt.

Auth

Autz

Federation operator

Institution B Institution A

Centralized


42

Identity Provider

Service Provider

Discovery service

Federation metadata

SSO,SLO

Consent

Discovery

ServiceIdentity

Management

Atr. Filt.

Auth

Autz

Institution C

Identity Management

Institution D

Service Provider

Discovery

ServiceAutz

AMRES AAI

What was our start point:Institution administrators have less knowledgeInstitutions have different databases => no centralized federationNo institution has its own SSO

We decided for: simpleSAMLphp Full-mesh with making it as much as possible lightweight: metadata management tool, attribute release recommendations, ...


43

AMRES AAI

We have set-up test environmentNext steps:

Make hands-on workshop with few chosen institutions which will continue in PILOT AAIGet experiences in PILOT, evaluate chosen solution, make some changes if neededStart PRODUCTION, continue with workshopsGet /deploy new user services which would attract institutions


44

Thank you for your attention

Questions ?

or write [email protected]


45

Documents

AAI with simpleSAMLphp Marina Vermezović Academic Network of Serbia -AMRES EIFL, 15.12.2011