Shibboleth at the U of M

Christopher A. Bongaarts code-people June 2, 2011

CAH Retirement
CAH slated to go away in October 2011 Motivation:
IPv6 compatibility Move to standards-based (SAML) solution

CAH and Shib will do SSO between them until CAH is gone

What is Shibboleth?
Software project sponsored by Internet2 Implements SAML Web SSO Profile Two main packages:
Identity Provider (IdP logs users in) Service Provider (SP uses login to do something useful)

How does it work?

User visits application web site (SP) SP redirects user to IdP with SAML AuthnRequest IdP authenticates user, if necessary IdP sends user back to SP with SAML AuthnResponse
Authentication Assertion (data about login) Attribute Assertion (data about user)

The Gory Details

Its like CAH

User never gives credentials to SP Additional attributes can be returned Single sign-on

Its different than CAH

No shared cookie
Allows non-umn.edu SPs Logout works differently

SSO still requires a trip to the IdP No free-for-all WEBCOOKIE method More complex protocol need more than cookies + HTTPS to integrate

Our IdPs
OIT/IDM runs production and test IdPs IdPs use production/test X.500 respectively Federated with InCommon

Integrating your application

Best strategy: use Shib SP
Requires Apache or IIS Usually easier to front app with Apache than to directly embed SAML support in your app Can protect files, directories, or locations via server config or .htaccess

Integrating your application

Best strategy: use Shib SP
Lazy sessions allow unauthenticated browsing until login needed Shib session can bootstrap app session Standard builds available for Windows and several Linux distros
Preinstalled on OIT Red Hat Linux VMs

Integrating your application

Install and configure the Shib SP
Careful lots of knobs, few need turning Choose an appropriate entityID (see wiki) Export metadata (generate, then hand edit)

Submit an Access Request Form if you need nonpublic attributes Ask us to add your metadata to our test IdP

Integrating your application

Access attributes
Environment variables (Apache) HTTP headers (IIS or Apache) REMOTE_USER

Converting from CAH to Shib

Shib SP is drop-in replacement for mod_cookieauth
sets REMOTE_USER

No ARF needed if you already get data from CAH Apps requiring M Key can use AuthnContext to ask for and check for it

Gotchas
Shib signs/encrypts assertions
Uses certs in metadata to carry keys Shib ONLY looks at keys, not rest of cert
Ignores expiration Doesnt validate CA

These are NOT the same certs/keys used for your browser-facing HTTPS port (443)

Gotchas
entityID looks like a URL but isnt
Its a URI, being used as a name Handy to use as URL sometimes (metadata) Use a domain you control to facilitate selfmanaged metadata someday

Other SAML Implementations

simpleSAMLphp (PHP) OIOSAML (Java) ADFSv2 (gateway to WS-*)
Preferred method for Sharepoint 2010

WIF SAML extension (for .NET apps)

MSDN blog entry: http://z.umn.edu/3n3

OpenAM - formerly OpenSSO

Federating your application

Lets your app allow users to log in from other places Can do simple bilateral setups or get listed in a federation like InCommon (ask us) Use a federatable identifier instead of Internet ID or umnDID for primary key
eduPersonTargetedID eduPersonPrincipalName (ID+scope e.g. cab@umn.edu)

Looking Ahead
Single logout support User consent for attribute release Self-managed metadata for departments

Resources
U of M Shib wiki: https://wiki.umn.edu/ShibAuth Official Shib wiki:
https://wiki.shibboleth.net/confluence/display/SHIB2/Home

Shib mailing list: shibboleth-users@internet2.edu

Best place for general questions about Shib SP installation/configuration Guy who wrote it usually responds within 15 minutes. Not sure when he eats or sleeps.

Questions?
Identity Management - idm@umn.edu Or call Chris at 5-1809