Single-Sign-OnwithLenyaandShibboleth

JannForrer,UniversityofZurichAndreasHartmann,BeCompanyGmbH

1

Agenda

Authenticationandauthorizationinfrastructure

Single-Sign-OnwithShibboleth

IntegrationinApacheLenya

Attribute-basedauthorization

Attributeruleevaluationoptions

2

AuthenticationandAuthorizationInfrastructure

3

WithoutAAI

University!of!Zurich

University!of!Berne

E-Learning

Course!Reg.

Web!Mail

Research!DB

Library

Student!Admin.

Authentication Authorization

4

Withstandards-basedAAI

University!of!Zurich

University!of!Berne

E-Learning

Course!Reg.

Web!Mail

Research!DB

Library

Student!Admin.

A!A!I

Authentication Authorization

5

Benefits

• VirtualizedID:Serviceproviderscansaveregistrationandadministrationefforts

• Standardizedinterfaces:Serviceproviderscaneasilyintegrateusersofotherorganizations

• Standardizedauthentication:Userscanaccessvariousservicesatdifferentorganizationswithasinglepassword

6

IdentityProvider(IdP)

• aka„homeorganizations“

• Universities,Libraries,Hospitals,...

• Responsibilities:• Registeringusers• Maintaininguserinformation(„attributes“)• Providinganauthenticationservice• Providingcredentialsforauthorizationdecisions

7

ServiceProvider(SP)

• aka„resources“

• providerestrictedinformation/applications

• Benefits:• Noregistrationauthoritynecessary• Nousermanagementnecessary• UserbasegrowswithregisteredIdPs• Reliablesecuritymechanism• Accesstostandardizedattributesforauthorization

8

SWITCHAAIAttributes

• swissEduPersonUniqueID• surname• givenName• swissEduPersonDateOfBirth• swissEduPersonGender• preferredLanguage• mail• swissEduPersonHomeOrganization• swissEduPersonHomeOrganizationType• ...

9

Single-Sign-OnwithShibboleth

10

Accessing!a!Service

Browser

SP

WAYF

IdP

Redirect!to!WAYF

Show!IdP!Selection

Login!Screen

Attribute!Request

Handle

Provide!Attributes

Granted!/Denied

Redirectto!IdP

Request!Protected

Page

Select!IdP

Authenti-cation

Username,!Password

...Attributes

11

TheShibbolethProject

• Internet2:USnetworkingconsortium,ledbyresearchandeducationcommunity

• MiddlewareArchitectureCommitteeforEducation• PKI• URNnamespace• coursedatainfrastructure• ...

• OpenSource(ApacheLicense2.0)

• Standardsbased:SAML,SSL,LDAP,...

12

AvailableSoftware

• ShibbolethProject:• ApachemodulesforSPandIdP• JavaSPimplementation(stalled)• NewJavaSPimplementationinprogress:

servletfilterwithinservlet2.4specification

• OLAT:• CustomSPimpl.basedonoldShibbolethJavaSP

• Lenya:• Uses(slightlymodified)OLATcode

13

IntegrationinApacheLenya

14

Browser

Main

Sitemap

WAYF

IdP

Login!Screen

Show!IdP!Selection

Login!Screen

Handle

Redirectto!IdP

Request!Protected

Page

Select!IdP

Authenti-cation

Username,!Password

Click!link!to!WAYF

Authentication:!Phase!1

15

Authentication:Phase2

Browser

Main

Sitemap IdP

Shibboleth

Authenticator

Attr.!Request

Service

AuthenticatorAction

Send!attr.!request

Provide!attributes

Create!transient

user!object,attach!it!to!the!session

Authenti-cation

Parse!SAML!response

Parse!SAML!response

16

Authentication:Classes

authenticate(Request)passAttributes(TransientUser,!Map)

ShibbolethAuthenticator

authenticate(Request)

<<interface>>Authenticator

requestAttributes(BPR)!:!Map

<<interface>>AttributeRequestService

translateSamlAttributes(Map)!:!Map

<<interface>>AttributeTranslator

getFirstName()getLastName()...

UserFieldsMapper

act(...)!:!Map

DelegatingAuthenticatorAction

authenticate(Request)

UserAuthenticator

17

Attribute-basedAuthorization

18

UserAttributesinLenya

• Expressionsforevaluation,e.g.• givenName==„John“&&surname==„Doe“• eduPersonScopedAffiliation==„student“

• Canbeobtainedfromvariousidentityproviders,e.g.• ShibbolethIdP(TransientUser)• LDAPserver(LDAPUser)

19

AttributeEvaluationinLenya

• InterfaceUserprovidesaccesstoattributes:User.getAttributeNames() : String[]User.getAttributeValues(String name): String[]

• InterfaceGroupallowstosetrules:Group.setRule(String)Group.getRule() : String

• MethodAbstractGroup.contains(Groupable)evaluatestheruleusingaRuleEvaluatorimplementation

20

AbstractGroup.contains()

public boolean contains(Groupable member) { boolean contains = members.contains(member);

if (!contains && member instanceof User && getRule() != null) {

User user = (User) member; AttributeRuleEvaluator evaluator = getAttributeRuleEvaluator(); contains = evaluator.isComplied(user, getRule()); }

return contains;}

21

UserAttributes:Classes

JexlEvaluator

setAttributeValues(String,!String[])

AbstractUservalidate(String)!:!ValidationResultisComplied(User,!String)!:!boolean

<<interface>>RuleEvaluator

getAttributeNames()!:!StringgetAttributeValues(String)!:!String

<<interface>>User

getMembers()!:!Groupable[]contains(Groupable)

<<interface>>Group

contains(Groupable)

AbstractGroup

AntlrEvaluator

getGroups()!:!Group[]

<<interface>>Groupable

*

22

AttributeRuleEvaluationOptions

23

JEXL

• AboutJEXL• JavaExpressionLanguage• ApacheJakartaCommonsproject• InspiredbyVelocityandtheJSTLexpr.language

• Advantages• Veryeasytointegrate(onlyacoupleoflines)• Nocustomgrammarnecessary

• Disadvantages• Nospecificrulesyntaxcheck• It‘sdifficulttoidentifydangerouscode

24

ANTLR• AboutANTLR• AnotherToolforLanguageRecognition• Frameworkforrecognizers,interpreters,parsers,...• basedonLL(k)grammars• 3-clauseBSDlicense

• Advantages• Customgrammarforstrictsyntaxcheck• Nodangerouscodeaccepted

• Disadvantages• Maintenanceandenhancementsrequirespecific

knowledge• Defaulterrormessagesarehardtounderstand

25

MoreOptions

• Differentlanguagerecognizergenerators• JavaCC• SableCC• CUP

• Pre-definedrulestoselectfrom

• GUI-basedruleediting(graphicalexpressioneditor)

26

QuestionsandDiscussion

27