MyAccess Workshop

Integrating with UCSF’s Shibboleth system

Elliot Kendall, ITSMyAccess Workshop

July 16, 2007

2

Introduction

• Elliot Kendall, ITS Identity and Access Management (IAM)

– Started at UCSF in July

– Previously ran web single-sign on at Emory and Brandeis

– Interested in Information Security and Systems Automation

• Please ask questions!

– You don’t need to wait until the end

– Please stop me if there’s something you want to ask

3

What MyAccess does

• Single sign-on

– Enter your password once, access many resources

• User Information

– Tells the application the name, email address, etc. of the logged in user

• Federation

– Use your UCSF credentials to log into non-UCSF systems, and let others log into your systems

• Security

– Applications and sites don’t see your password, just that you are logged in

4

MyAccess and Shibboleth

• MyAccess is UCSF-branded Shibboleth

– Shibboleth is an Internet2 project to support federated authentication among colleges and universities

• Shibboleth is an implementation of SAML

– Security Assertion Markup Language

– An XML-based protocol for federated authentication

• MyAccess works with Shibboleth or other SAML

– Most universities use Shibboleth, but we can integrate with anything that supports SAML

– This workshop will focus on Shibboleth

5

Terms and concepts

• Identity Provider (IdP)

– What users log into

– Displays login page, validates username and password, looks up attributes about the user

– Tells SPs who is logged in

• Service Provider (SP)

– Protects an application or website

– Sends users to the IdP to authenticate

– Reads the attribute information from the IdP

6

How it works

MyAccess (IdP)

PeopleSoft (SP)

User’s Browser

Visit PeopleSoft website

User is not logged in

7

How it works

MyAccess (IdP)

PeopleSoft (SP)

User’s Browser

Redirect to IdP with encrypted SAML request

Visit IdP with encrypted SAML request from SP

8

How it works

MyAccess (IdP)

PeopleSoft (SP)

User’s Browser

Display login page

9

How it works

MyAccess (IdP)

PeopleSoft (SP)

User’s Browser

Send username and password

10

How it works

MyAccess (IdP)

PeopleSoft (SP)

User’s Browser

Visit PeopleSoft website with encrypted SAML response from IdP

Redirect to PeopleSoft website with encrypted SAML response

SAML response is from a trusted IdP

11

How it works

MyAccess (IdP)

PeopleSoft (SP)

User’s Browser

Return logged in PeopleSoft page

12

Terms and concepts

• Metadata

– To communicate securely, the IdP and SP must have a copy of one another’s metadata

– Contains cryptographic public keys and URLs to redirect the user’s browser to

• Federation

– A group of organizations that wants to be able to cross-authenticate

– Essentially just a big collection of metadata

– UCSF is part of InCommon, a federation of US colleges, universities, and companies that work with them; and UCTrust, which includes all UC schools

13

Hands on

• Setting up your own SP

– To integrate with MyAccess, you or your vendor needs to set up and configure an SP to talk to our IdP

– We’ll go through the process of a simple integration step by step, using the VMware image you received before class. This is a simplified example! Please do not use these instructions to set up a production SP!

• Warning: technical detail ahead!

– The VM is running Linux. You will need to use a command line interface, although we will tell you what to type. You will need to edit XML files, although we will provide detailed instructions

14

Booting the VM

• If you have not already, please start the VM now

– Once it finishes starting up, log in with username root and password ucsf

– Run a terminal (second icon from the left at the bottom of the screen)

• This VM is running CentOS 5 (almost the same as RedHat Enterprise 5)

– No special configuration has been done. We’ll do everything necessary to integrate with MyAccess

– The steps are different for different operating systems, but the concepts are the same

15

Installing Shibboleth

• Enable an external package repository

– In the terminal, type:

wget http://goo.gl/VNZNL -O /etc/yum.repos.d/shibboleth.repo

That’s goo.gl as as “Google”

• Install the Shibboleth SP packageyum –y install shibboleth

16

Configuring Shibboleth

• Look at some configuration files

– Leave the terminal open, but start the text editor (to the right of the terminal icon)

– To open a file, go to File -> Open and start typing the name, or browse from File System under Places

– Open /etc/httpd/conf.d/shib.conf. This file controls how the Apache web server interacts with Shibboleth. Note the <Location> block that specifies that the /secure path will be protected. We don’t need to make any changes for this example.

– Open /etc/shibboleth/shibboleth2.xml. This file controls the guts of the SP. There’s a lot in here, but you don’t need to worry about most of it. Don’t be intimidated.

17

Configuring Shibboleth

• Find <ApplicationDefaults entityID=

– For entityID, enter https://localhost/ followed by your AD username. For example, https://localhost/ekendall

• Find <SSO entityID=

– For entityID, enter:

https://idp-dev.ucsf.edu/idp/shibboleth

• Find <MetadataProvider type="XML" file=

– For file, enter idp-metadata.xml

– Remove the <!-- and --> lines just before and after

• Save the file

18

Starting the SP

• Download a copy of the IdP metadatawget https://idp-dev.ucsf.edu/idp/shibboleth -O

/etc/shibboleth/idp-metadata.xml

• Start the SP and web server/etc/init.d/shibd start

/etc/init.d/httpd start

• Log into your SP

– Open Firefox (globe icon, second from the right)

– Navigate to https://localhost/secure/

• What happened?

– The IdP doesn’t have your SP’s metadata, so it doesn’t know where to send users after they log in

19

Submitting your metadata

• Download a copy of your SP’s metadata

• Make sure you type “https” not “http”!wget --no-check-certificate

https://localhost/Shibboleth.sso/Metadata

• Submit it

– In Firefox, go to https://myaccess2-dev.ucsf.edu/workshop/

– Upload your Metadata file

• Wait

– It’ll take a few minutes for me to add all of your metadata to the IdP

20

Logging in

• Let’s try it again

– In Firefox, go back to https://localhost/secure

– What happens this time?

21

A production SP

• What would be different?

– Different path(s) protected in shibd.conf

– Different IdP – production, not dev

– (Maybe) load InCommon metadata, not just our IdP

– Automatically download and validate new metadata on a regular basis

– Modify your application to look at the REMOTE_USER environment instead of prompting for a username and password

– Maybe integrate with multiple IdPs so people from outside UCSF can log in

22

Integration process

• See tiny.ucsf.edu/myaccess

• Highlights include

– Read and agree to division of responsibilities

– Determine what information you need about users

– Configure your SP

– Submit a formal request

– Wait for data owners to approve information release

– Communicate to your users

– Production deployment

23

Questions?