Upload
reynard-higgins
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
MyAccess Workshop
Integrating with UCSF’s Shibboleth system
Elliot Kendall, ITSMyAccess Workshop
July 16, 2007
2
Introduction
• Elliot Kendall, ITS Identity and Access Management (IAM)
– Started at UCSF in July
– Previously ran web single-sign on at Emory and Brandeis
– Interested in Information Security and Systems Automation
• Please ask questions!
– You don’t need to wait until the end
– Please stop me if there’s something you want to ask
3
What MyAccess does
• Single sign-on
– Enter your password once, access many resources
• User Information
– Tells the application the name, email address, etc. of the logged in user
• Federation
– Use your UCSF credentials to log into non-UCSF systems, and let others log into your systems
• Security
– Applications and sites don’t see your password, just that you are logged in
4
MyAccess and Shibboleth
• MyAccess is UCSF-branded Shibboleth
– Shibboleth is an Internet2 project to support federated authentication among colleges and universities
• Shibboleth is an implementation of SAML
– Security Assertion Markup Language
– An XML-based protocol for federated authentication
• MyAccess works with Shibboleth or other SAML
– Most universities use Shibboleth, but we can integrate with anything that supports SAML
– This workshop will focus on Shibboleth
5
Terms and concepts
• Identity Provider (IdP)
– What users log into
– Displays login page, validates username and password, looks up attributes about the user
– Tells SPs who is logged in
• Service Provider (SP)
– Protects an application or website
– Sends users to the IdP to authenticate
– Reads the attribute information from the IdP
6
How it works
MyAccess (IdP)
PeopleSoft (SP)
User’s Browser
Visit PeopleSoft website
User is not logged in
7
How it works
MyAccess (IdP)
PeopleSoft (SP)
User’s Browser
Redirect to IdP with encrypted SAML request
Visit IdP with encrypted SAML request from SP
8
How it works
MyAccess (IdP)
PeopleSoft (SP)
User’s Browser
Display login page
9
How it works
MyAccess (IdP)
PeopleSoft (SP)
User’s Browser
Send username and password
10
How it works
MyAccess (IdP)
PeopleSoft (SP)
User’s Browser
Visit PeopleSoft website with encrypted SAML response from IdP
Redirect to PeopleSoft website with encrypted SAML response
SAML response is from a trusted IdP
11
How it works
MyAccess (IdP)
PeopleSoft (SP)
User’s Browser
Return logged in PeopleSoft page
12
Terms and concepts
• Metadata
– To communicate securely, the IdP and SP must have a copy of one another’s metadata
– Contains cryptographic public keys and URLs to redirect the user’s browser to
• Federation
– A group of organizations that wants to be able to cross-authenticate
– Essentially just a big collection of metadata
– UCSF is part of InCommon, a federation of US colleges, universities, and companies that work with them; and UCTrust, which includes all UC schools
13
Hands on
• Setting up your own SP
– To integrate with MyAccess, you or your vendor needs to set up and configure an SP to talk to our IdP
– We’ll go through the process of a simple integration step by step, using the VMware image you received before class. This is a simplified example! Please do not use these instructions to set up a production SP!
• Warning: technical detail ahead!
– The VM is running Linux. You will need to use a command line interface, although we will tell you what to type. You will need to edit XML files, although we will provide detailed instructions
14
Booting the VM
• If you have not already, please start the VM now
– Once it finishes starting up, log in with username root and password ucsf
– Run a terminal (second icon from the left at the bottom of the screen)
• This VM is running CentOS 5 (almost the same as RedHat Enterprise 5)
– No special configuration has been done. We’ll do everything necessary to integrate with MyAccess
– The steps are different for different operating systems, but the concepts are the same
15
Installing Shibboleth
• Enable an external package repository
– In the terminal, type:
wget http://goo.gl/VNZNL -O /etc/yum.repos.d/shibboleth.repo
That’s goo.gl as as “Google”
• Install the Shibboleth SP packageyum –y install shibboleth
16
Configuring Shibboleth
• Look at some configuration files
– Leave the terminal open, but start the text editor (to the right of the terminal icon)
– To open a file, go to File -> Open and start typing the name, or browse from File System under Places
– Open /etc/httpd/conf.d/shib.conf. This file controls how the Apache web server interacts with Shibboleth. Note the <Location> block that specifies that the /secure path will be protected. We don’t need to make any changes for this example.
– Open /etc/shibboleth/shibboleth2.xml. This file controls the guts of the SP. There’s a lot in here, but you don’t need to worry about most of it. Don’t be intimidated.
17
Configuring Shibboleth
• Find <ApplicationDefaults entityID=
– For entityID, enter https://localhost/ followed by your AD username. For example, https://localhost/ekendall
• Find <SSO entityID=
– For entityID, enter:
https://idp-dev.ucsf.edu/idp/shibboleth
• Find <MetadataProvider type="XML" file=
– For file, enter idp-metadata.xml
– Remove the <!-- and --> lines just before and after
• Save the file
18
Starting the SP
• Download a copy of the IdP metadatawget https://idp-dev.ucsf.edu/idp/shibboleth -O
/etc/shibboleth/idp-metadata.xml
• Start the SP and web server/etc/init.d/shibd start
/etc/init.d/httpd start
• Log into your SP
– Open Firefox (globe icon, second from the right)
– Navigate to https://localhost/secure/
• What happened?
– The IdP doesn’t have your SP’s metadata, so it doesn’t know where to send users after they log in
19
Submitting your metadata
• Download a copy of your SP’s metadata
• Make sure you type “https” not “http”!wget --no-check-certificate
https://localhost/Shibboleth.sso/Metadata
• Submit it
– In Firefox, go to https://myaccess2-dev.ucsf.edu/workshop/
– Upload your Metadata file
• Wait
– It’ll take a few minutes for me to add all of your metadata to the IdP
20
Logging in
• Let’s try it again
– In Firefox, go back to https://localhost/secure
– What happens this time?
21
A production SP
• What would be different?
– Different path(s) protected in shibd.conf
– Different IdP – production, not dev
– (Maybe) load InCommon metadata, not just our IdP
– Automatically download and validate new metadata on a regular basis
– Modify your application to look at the REMOTE_USER environment instead of prompting for a username and password
– Maybe integrate with multiple IdPs so people from outside UCSF can log in
22
Integration process
• See tiny.ucsf.edu/myaccess
• Highlights include
– Read and agree to division of responsibilities
– Determine what information you need about users
– Configure your SP
– Submit a formal request
– Wait for data owners to approve information release
– Communicate to your users
– Production deployment
23
Questions?