lets get a federated identity
play

Lets get a federated identity Do you have access to your email? - PowerPoint PPT Presentation

Lets get a federated identity Do you have access to your email? Youll need a valid email address Intro to Federated Identity Do you have an account from Protect Network or Twitter You can skip ahead! EuroCAMP Training for


  1. Lets get a federated identity • Do you have access to your email? – You’ll need a valid email address Intro to Federated Identity • Do you have an account from… – Protect Network or Twitter – You can skip ahead! EuroCAMP Training for APAN32 • If not lets create a Feide OpenIdP Account? • If not, lets create a Feide OpenIdP Account? This work is licensed under a Creative Commons – Visit http://openidp.feide.no/ Attribution ‐ ShareAlike 3.0 Unported License . Feide OpenIdP Enter your email address – Click on “Register a new user account” 1

  2. Check your email Complete your registration • Fill in: – User ID – Given name – Surname – Email (already completed) – New password (and Retype new password) New password (and Retype new password) Success! Lets use our federated identity • Visit https://foodl.org/foodle/APAN32 ‐ 4e554 – You now have an account you can use for federated authentication. – The OpenIdP is your Id entity P rovider. 2

  3. Login with your account… Consent Screen – This is the Feide OpenIdP (but you could use – This feature of the Feide OpenIdP tells you about Twitter Protect Network or 445 other sites) Twitter, Protect Network or 445 other sites). the information you are sending to a service the information you are sending to a service. Now complete the survey… What just happened? • You visited a S ervice P rovider (SP) – Foodle – But this service required you to login • Then asked to choose a federated account – You could have selected from a range of accounts • Logged in using an Id entity P rovider (IdP) – Which asked whether you wanted your details Whi h k d h th t d d t il • Secret Survey Questions revealed! sent back to Foodle • You can even add a comment (click on the • Returned to Foodle to access the survey stack of notes). 3

  4. Architecture SAML/Shibboleth v2.x What just happened? HTTP redirect HTTP interaction DS • As a diagram… der r m Sh Identity Provid hibboleth 1. Access SP (x) odule 2. Choose IdP (1) x 3. Login 4. Consent User Agent/Browser 5. Access 5. Access Webserver Shibboleth service Webserver Service Provider Identity Provider • WARNING: Technical explanation follows! SAML2.0 profile: Web browser SSO + HTTP POST binding Initial request from UA to document X 14 – or skip ahead. No active Shibboleth session, UA redirected to DS Architecture SAML/Shibboleth v2.x Architecture SAML/Shibboleth v2.x HTTP redirect HTTP redirect HTTP interaction HTTP interaction DS DS der der r r SP takes back m Sh m Sh Identity Provid Identity Provid control t l hibboleth hibboleth odule odule x x User Agent/Browser User Agent/Browser Webserver Webserver Shibboleth service Shibboleth service Webserver Webserver Service Provider Service Provider Identity Provider Identity Provider DS asks UA to choose an IdP (if not already set in cookie) SP sends SAML Authentication request to the IdP. IdP prompts the UA for credentials, if necessary. Redirect UA back to SP with selected IdP as parameter. 15 16 IdP uses backend to verify credentials (LDAP, ADDS, SQL, etc) 4

  5. Architecture SAML/Shibboleth v2.x Architecture SAML/Shibboleth v2.x HTTP redirect HTTP redirect HTTP interaction HTTP interaction DS DS der der r r m Sh m Sh Identity Provid hibboleth Identity Provid hibboleth odule odule x x User Agent/Browser User Agent/Browser Webserver Webserver SAML response SAML response • Authentication statement No callback! Shibboleth service Shibboleth service Webserver • Attribute statement Webserver Service Provider Service Provider Identity Provider Identity Provider The IdP resolves and filters the principal’s attribute information and The Shibboleth service decrypts, verifies and filters the response constructs a SAML assertion. This assertion can optionally be and gives it to the Shibboleth module (via RPC or TCP). signed and/or encrypted. Next, the IdP POSTs a response to the SP. The Shibboleth module or Webserver will authorise the principal. 17 18 Architecture SAML/Shibboleth v2.x What’s next? HTTP redirect HTTP interaction DS • Can I use this account for anything else? Yes… der r m Sh Identity Provid hibboleth odule – simpleSAML translation portal • http://translation.rnd.feide.no � Single sign on! • Only allows Feide OpenIdP x • Portal is used to translate simpleSAML, Foodle and other tools. User Agent/Browser Webserver – TERENA Conference System TERENA C f S t • http://tnc2011.terena.org/ � Click “Sign in” and search Shibboleth service Webserver Service Provider 2 for ‘openidp’ or look in the “Guest providers” tab. Identity Provider • But you don’t want all your users to sign up Again, the active sessions with every component will provide the single sign-on experience. for a separate account! 19 5

  6. Building your own… How big is your problem? • How big is your problem? • How big is your problem? – Use Google to search for: • Skills required • site:auca.kg login or site:your.domain sign ‐ in – More complex than just configuration. – Adjust your search and look at all the pages that • Available solutions ask for login information. Confusing? – Open Source and Commercial Options • Then make a spreadsheet… p • How do I implement this? H d I i l t thi ? Skills required… Available Solutions… • Concentrate on the skills you have or those • For each “product” or website work out: you want to develop. t t d l – Programming Language (PHP, Perl, Java) • simpleSAMLphp – Webserver (e.g. Apache or Microsoft IIS) – Operating system (Windows, Linux, Mac) – PHP • Search for plug ‐ ins or modules – Multi ‐ lingual support – Linux Windows or Mac Linux, Windows or Mac – Support for simpleSAMLphp or Shibboleth might – Support for simpleSAMLphp or Shibboleth might already be included. • Shibboleth • Can use a combination – IdP is Java – simpleSAMLphp AND Shibboleth are compatible! – Runs within Apache Tomcat • Both are free software. 6

  7. Setup your own environment… Our building blocks… • Self study course to build a federated • VirtualBox to run your VM, or environment for your organisation. i t f i ti • TATA Instacompute • We’ll cover: • Supplied VM image – Setting up an Identity Provider (eg Feide OpenIdP) • simpleSAMLphp IdP • Adding modules like Consent • Shibboleth SP – Protecting a service with Federated Protecting a service with Federated Authentication 7

Recommend


More recommend