SSO everywherePiers Harding
13th April, 2010
SSO Everywhere
This is an interactive session
It's based on the MoE SSO Pilot experience
We will go through the build process for an IdP
We will integrate as many Services as Possible (Moodle, Mahara,
Koha, MediaWiki, Status.Net, Drupal, Google Apps)
You can take this home!
Please ask questions
What kind of SSO?
Not just shared credentials Sign On once, and be automatically
signed on everywhere as required
Sharing the necessary user attributes from a central
repository
How does it Work?
It is Web SSO
It is based on SAML 2.0
It requires a centrally stored session, that each service refers
back to
What is SAML 2.0?
It is an XML based framework for the description, and secure
exchange of assertions for the proof of identity, and attributes
attached to that identity
What is WEB SSO?
Is a standard formula for using browser interaction to establish
a users identity (and assertions about that identity) and then to
propagate this amongst subsequently accessed services
what typical scenarios?
what is the interaction?
and for schools?
Data moves
User data flows from the SMS To the User Directory and is then
consumed by various services
Now that includes the Identity Provider
The Schema
The User Directory
- Example user
dn: cn=John Doe,ou=People,dc=example,dc=comobjectClass:
inetOrgPersonobjectClass: posixAccountuid: johnsn: DoegivenName:
Johncn: John DoedisplayName: John DoeuserPassword: passwordmail:
[email protected]: 31000l: Toulouseo: Example
The User Directory
- Mapping to the Schema
Username => uid or sAMAccountName
Firstname => givenName
Lastname => sn
Role => group membership(cn=Staff,ou=Groups) or position
(cn=John Doe, ou=Staff)
Email => mail
Organisation => typically defined by the name of the UD
connected to
The IdP
Apache2
PHP5
Memcached
simpleSAMLphp
IdP Role
The IdP acts as a broker
Negotiates authentication with User Directory
Hold contracts with service providers regarding user attributes
on offer
SP Role
The SP (Service Provider) negotiates access with the IdP on
behalf of the service that it is attached to
Holds metadata contract with IdP
Applies filter rules
Passes attributes to attached service
IdP Control
Metadata shared with SPs to establish trust relationships
Both IdP and SP can apply filters with respect to users that
will be accepted, and attributes that will be shared
Metadata - Example
[base64 encoded cert data] [base64 encoded cert data]
Administrator [email protected]
Filters
- Examples
These check are used for access to WikiEducator
# IdP - Limit to a set Attribute list 50 => array('class'
=> 'core:AttributeLimit', 'mlepUsername', 'mlepEmail',
'mlepLastname', mlepFirstname', 'cn', 'mlepOrganisation' ),
# SP reject with an HTTP '403' Forbidden, unless !student check
passes 85 => array('class' => 'authorize:Authorize',
'mlepAffiliation' => '/^(?!(s|S)tudent)/', ),
Live Demonstration
VirtualBox image
Runs all demo services fully self contained
IdP Steps
Software required
Review config.php
Step through authsources.php
See LDAP admin
See metadata/saml20-*
Launch IdP admin page
SP Steps - Moodle
Install auth/saml
Install/configure simplesamlphp for SP
Edit paths in auth/saml/config.php
In Moodle Go to Users ->
Manage Authentication
SAML Authentication
Go to $CFG->wwwroot/auth/saml/
Others?
Each service has it's own connector
Each service needs an associated SP
Resources
Oasis Org SAML 2.0 specification
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security#samlv20
In particular the SAML Technical Overview -
http://www.oasis-open.org/committees/download.php/11511/sstc-saml-tech-overview-2.0-draft-03.pdf
MLE Reference Group
http://groups.google.co.nz/group/mle-reference-group?hl=en-GB
simpleSAMLphp
http://git.catalyst.net.nz/gw?p=simplesamlphp.git;a=summary
VirtualBox image + presentation notes + howto
http://www.catalyst.net.nz/sso/index.html
Click to edit the title text format
Click to edit the outline text formatSecond Outline LevelThird
Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline
LevelSeventh Outline LevelEighth Outline LevelNinth Outline
Level
