Post on 10-Sep-2020
CHUV
AAI @ CHUV
Vincent BexSystems Engineer
Vincent.Bex@chuv.ch
Patrick ZossoInfrastructure Project Manager
Patrick.Zosso@chuv.ch
CHUV
• Presentation of the CHUV
• Security concepts at CHUV
• The challenge
• AAI implementation for UNIL students
Agenda
CHUV
Some indicators• 7100 Employees + 400 Students
• 1300 Beds
• 2 campuses and several small remotesites
Presentation
CHUVPresentation
• Equipments• PC 7000
• Printers 1930
• Servers 250
• Applications 750
• Storage• 70Tbytes
CHUVPresentation
• Locations• One LAN spread on 2 main campuses
• 23 Small remote sites
• 385 network equipments• VPN
• Firewalls
• Routers
• Switches
• WiFi
• …
CHUV
• Security concepts at CHUV
• The challenge
• AAI implementation for UNIL students
Agenda
CHUV
Internet
Intranet
DataCenter
DMZ
tcp any
http://www.switch.aaiOrhttp://kodc2.nfrdi.re.kr:8001
Security concepts at CHUV
CHUV
Internet
Intranet
DataCenter
DMZHTTPProxy
tcp 8080
tcp any
Security concepts at CHUV
CHUV
Internet
Intranet
DataCenter
DMZ
UnilStudent
HTTPProxy
tcp 8080
tcp any
LDAP
HTTPProxy
Security concepts at CHUV
CHUV
• The challenge
• AAI implementation for UNIL students
Agenda
CHUVThe Challenge
The situation:
• Users who are not CHUV employees (UNIL students) needto access internet from our premises
• They use specific PCs from the library
• They use PCs configured to automatically logon with ageneric account
CHUVThe Challenge
The needs:
• We need to identify the users who access internet forpolicy enforcement purpose
CHUVThe Challenge
The environment:
• Our proxies are currently BlueCoat appliances
• BlueCoat does not support mod_shib authentication
• Shibboleth is “easy” to implement on IIS or Apache
• We need to force the PCs to use the proxy
CHUVThe Challenge
The solution:
• A dedicated BlueCoat proxy
• A Service Provider on Debian 4.0
• Apache 2.2 with mod_shib enabled
• Open LDAP
• Two CGI scripts
• A GPO to force the user’s PCs to use the proxy
CHUV
• AAI implementation for UNIL students
Agenda
CHUVAAI implementation for UNIL students
Internet1
HTTPRequest/response
1 Internet access request
HTTP Proxy
CHUV
Internet
HTTP Redirection
2
HTTP Proxy
2 Redirection to a perl script protected by ShibbolethHTTP
Request/response
AAI implementation for UNIL students
CHUV
InternetServer to server connection
3
3
HTTP Proxy
3 AAI authenticationHTTP
Request/response
HTTP Redirection
AAI implementation for UNIL students
CHUV
Internet
4
HTTP Proxy
Server to server connection
HTTPRequest/response
HTTP Redirection
4 Creating the LDAP user
AAI implementation for UNIL students
CHUV
Internet
5
HTTP Proxy
Server to server connection
HTTPRequest/response
HTTP Redirection
5 Creating and sending the authentication form
AAI implementation for UNIL students
CHUV
Internet
6
HTTP Proxy
Server to server connection
HTTPRequest/response
HTTP Redirection
6 The proxy requests authentication to the LDAP server
AAI implementation for UNIL students
CHUV
Internet
7
HTTP Proxy
Server to server connection
HTTPRequest/response
HTTP Redirection
7 LDAP user gets deleted
AAI implementation for UNIL students
CHUV
Internet
8
HTTP Proxy
Server to server connection
HTTPRequest/response
HTTP Redirection
8 Redirection to the requested URL
AAI implementation for UNIL students
CHUV
Internet9
HTTP Proxy
Server to server connection
HTTPRequest/response
HTTP Redirection
9 Internet access
AAI implementation for UNIL students
CHUV
Internet1
2
3
3
7
5
4
9
1 Internet access request2 Redirection to a perl script protected by Shibboleth3 AAI authentication4 Creating the LDAP user
8
5 Creating and sending the authentication form6 The proxy requests authentication to the LDAP server7 LDAP user gets deleted8 Redirection to the requested URL9 Internet access
6
HTTP Proxy
Server to server connection
HTTPRequest/response
HTTP redirect
AAI implementation for UNIL students
CHUV
Q&A
Q&A