Hosting a SAML-protected Web Site in Microsoft Azure

Hosting a SAML-protected Web Site in Microsoft

Azure

Eric Kool-BrownSoftware Engineer

University of Washington IT

SAML in Azure - Windows in Higher Ed

2

A SAML Protected Web Site


3

SAML: what is it?

Security Assertion Markup Language and much more•A token format (using this language)•A set of authentication protocols•A set of bindings for the transfer of the protocol elements•A set of OASIS specifications ratified in 2005


4

Some Terminology• SAMLP – used to differentiate the

protocol from the token format• Service Provider – a protected web

site, a.k.a. Relying Party• IdP – identity provider, a.k.a. security

token service• Shibboleth – the community-developed

reference implementation of SAML


5


6

Campus Datacenter

User

CredentialDatastoreDatabases

Web App

Shib IdP

Hosting a Shibboleth-Protected Web Site

Locally

Public Internet


7

Azure

Campus Datacenter

User

CredentialDatastoreDatabases

Web App

Shib IdP

Hosting a Shibboleth-Protected Web Site

In Azure

Public Internet


8

Campus Datacenter

Azure

Public Internet

Campus ServersAzure VPN Gateway Hardware VPNGateway

Site-to-Site ProtectedData Connection

Route toPublic Internet

Azure Networking

Azure VMs

AzureVirtual

Network

Azure DNS/Load

Balancer

CampusSubnetList


9

Lots

of O

ption

s!

Options, We’ve Got Options• Upload your Shibboleth SP VHD as an

Azure VM– Could be either Linux or Windows

• Host WIF web app in an Azure web site and use ADFS as a protocol translator

• Use WIF and the SAMLP CTP extension• Host Shibboleth SP as an Azure cloud

service


10

Azure Virtual Machine• Use an MS-supplied OS image or upload

your own (Linux or Windows)– If the former, upload web app remotely– If the latter, can configure locally, then

upload the entire VHD

• VM bits stored in triple redundant Azure blob storage

• Scaling up requires manual configuration


11

Azure VM Details

• Windows OS licensing: monthly cost of using MS-supplied Windows image includes OS licensing fee

• DNS needs to be configured in Azure; you supply a validated DNS name and Azure supplies the VIP for that name

• Adding instances for scaling requires manual configuration

• Ditto for monitoring


12

Azure Web Sites• Write web app in Visual Studio and

deploy to Azure from VS• Use WIF to “claims enable” your web

app via its support for WS-Federation– WIF does not support SAMLP

• Use AD FS to translate from WS-Federation to SAMLP

• Azure handles scaling to add instances and configures load balancing


13

Add a Cloud Web App Project


14

Configure the Project


15

Configure WS-Fed


16

Sign-in to Azure


17

Publish to Azure


18

AD FS as a Protocol Translator


19

Azure Web Sites Redux• MS released a CTP extension to WIF

4.0 that supported SAMLP• May be NLA and is certainly not

supported by MS• One UW web application in

production using this CTP• WIF 4.5 re-architected, the CTP won’t

work with it (and claims-based web apps need to be re-written)


20

Azure Cloud Service

• Web roles and worker roles• Web role much more configurable

than an Azure web site• Shibboleth SP can be automatically

installed using a startup script• See my blog posts starting with

http://blogs.uw.edu/kool/2013/06/20/hosting-a-shibboleth-sp-web-site-in-azure-part-1/


21

Create a Cloud Service Project


22

Add Roles to the Service


23

Choose the Type of Web App


24

Config and Definition Files


25

Shibboleth SP Install Task


26

Shib SP Files in Project


27


28

echo calling msiexec to run the Shib MSI >> %temp%\install-shib.txt 2>&1msiexec.exe /i Shibboleth-SP\shibboleth-sp-2.5.1-win64.msi /quiet /L*v %temp%\shib-msi.txt /norestartecho calling xcopy to copy the config files >> %temp%\install-shib.txt 2>&1xcopy /y /q Shibboleth-SP\*.xml c:\opt\shibboleth-sp\etc\shibbolethxcopy /y /q Shibboleth-SP\*.pem c:\opt\shibboleth-sp\etc\shibbolethxcopy /y /q "%systemdrive%\Program Files\Shibboleth\SP\lib\*.dll" c:\opt\shibboleth-sp\lib64\shibbolethecho calling appcmd to add the ISAPI handler >> %temp%\install-shib.txt 2>&1%windir%\System32\inetsrv\appcmd.exe set config /section:handlers

/+[name='ShibbolethSP',path='*.sso',verb='*',modules='IsapiModule',scriptProcessor='C:\opt\shibboleth-sp\

lib64\shibboleth\isapi_shib.dll',requireAccess='Script',responseBufferLimit='0']echo calling appcmd to add the ISAPI filter >> %temp%\install-shib.txt 2>&1%windir%\System32\inetsrv\appcmd set config /section:isapiFilters /+[name='Shibboleth',path='C:\opt\shibboleth-sp\

lib64\shibboleth\isapi_shib.dll',preCondition='bitness64']echo calling appcmd to remove the ISAPI filter restriction >> %temp%\install-shib.txt 2>&1%windir%\System32\inetsrv\appcmd set config /section:isapiCgiRestriction /+[path='C:\opt\shibboleth-sp\

lib64\shibboleth\isapi_shib.dll',description='ShibbolethWebServiceExtension',allowed='True']echo calling icacls to grant User execute to the Shib folders so the ISAPI filter will load >> %temp%\install-shib.txt 2>&1icacls c:\opt /grant "Users":(OI)(CI)(RX)echo calling icacls to grant NetworkService write to the Shib logging folder so the ISAPI filter can log >> %temp%\install-shib.txt 2>&1icacls c:\opt\shibboleth-sp\var\log\shibboleth /grant "NetworkService":(OI)(CI)(RX,M)echo restarting the Shib service to pick up the config changes >> %temp%\install-shib.txt 2>&1net stop shibd_Defaultnet start shibd_Default

Publishing


29

• Similar to publishing an Azure web app from Visual Studio

• Takes longer to start due to time taken to install the Shib SP

• The install script is re-run each time an instance is spun up

Questions?


30

Links


31

• Series of 5 blog posts on hosting a Shib SP in Azure: http://blogs.uw.edu/kool/2013/06/20/hosting-a-shibboleth-sp-web-site-in-azure-part-1/

• Test web site: https://uwshibsp.cloudapp.net/Note that it is using a self-signed cert, so be prepared for browser warnings

• Azure Portal: https://manage.windowsazure.com/• Azure Site-to-Site

VPN: http://msdn.microsoft.com/en-us/library/azure/dn133798.aspx• Azure VPN Walkthrough: http://jeffgraves.me/2012/10/26/windows-azure-

vpn-walkthrough/ (from 2012)• Azure Load

Balancer: http://msdn.microsoft.com/en-us/library/azure/dn655058.aspx (VMs can have multiple "endpoints")

• Example of confusion between SAML token format and SAML protocol: http://stackoverflow.com/questions/11342186/windows-identity-foundation-does-not-officially-support-saml-2-0-use-wif-ctp-or

The University of Washington is one of the world’s preeminent universities and a recognized leader in educating the next generation of leaders, thinkers and doers. A multi-campus

institution comprising UW Seattle, UW Tacoma and UW Bothell, as well as a world-class academic medical center, the UW is a focal

point of the Puget Sound region’s intellectual and cultural life and a key contributor to Washington’s increasingly global reputation as

a center of innovation and change. A progressive and quintessentially Northwest institution with a uniquely innovative

and creative culture, the UW is driven to lead by successfully integrating the full assets of the university and its rich environs to address key issues of pressing human concern that make a lasting

difference in the Northwest and around the world.


32

Hosting a SAML-protected Web Site in Microsoft Azure

Documents

Transcript of Hosting a SAML-protected Web Site in Microsoft Azure