Shibboleth Configuration in T¼bingen - Clarin
Transcript of Shibboleth Configuration in T¼bingen - Clarin
Konferenz XYZ, 1.1.2012, Ort
• The university Tübingen is member of the DFN AAI
• The computing center in Tübingen runs a centralized IDP for the whole university
• In the SfS, a Shibboleth service provider was installed: • https://weblicht.sfs.uni-tuebingen.de • http://weblicht.sfs.uni-tuebingen.de still hosts
the old D-SPIN homepage
2
Konferenz XYZ, 1.1.2012, Ort 3
Weblicht.sfs... amber.sfs...
Apache HTTPD + Shibboleth
Tomcat • WebLicht • TCF Visualizer • DCA
Proxy
Tomcat • Webservices • Databases • Resources • SOAP Gateway • ...
Proxy
Two servers are running the main services for CLARIN‐D:
Konferenz XYZ, 1.1.2012, Ort
Requirements for a SP
4
• Certificates from the DFN-AAI, integrated into OpenSSL
‐‐‐‐‐BEGIN CERTIFICATE‐‐‐‐‐ MIIFpzCCBI+gAwIBAgIED+vXfzANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJE RTEfMB0GA1UEChMWVW5pdmVyc2l0YWV0IFR1ZWJpbmdlbjEcMBoGA1UEAxMTR2xv YmFsLVVOSVRVRS1DQSAwMTEpMCcGCSqGSIb3DQEJARYadW5pdHVlLWNhQHVuaS10 dWViaW5nZW4uZGUwHhcNMTAwNDE5MTMyNjA3WhcNMTUwNDE4MTMyNjA3WjCByzEL MAkGA1UEBhMCREUxHzAdBgNVBAoTFlVuaXZlcnNpdGFldCBUdWViaW5nZW4xKDAm BgNVBAsTH1NlbWluYXIgZnVlciBTcHJhY2h3aXNzZW5zY2hhZnQxDjAMBgNVBAsT BURTUElOMREwDwYDVQQLEwhXZWJMaWNodDEmMCQGA1UEAxMdd2VibGljaHQuc2Zz LnVuaS10dWViaW5nZW4uZGUxJjAkBgkqhkiG9w0BCQEWF2VoQHNmcy51bmktdHVl YmluZ2VuLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJJ+lISL liCGHMdtC5EKdkSPkZIEfGf6u0I2YT+u/bX37XL4yOvmMxJxRLQM4oEvnE67n8k8 4qe06B8xErFh3KqgC5Q5keUlQmXJu4wvABnk9AuxlwJKuGXI3PetBYdid10A7Iu 3Ki0s3j7+7yYTG6xXJt4qrE7rV/v79zBQcoKOwu1AMdfV9q8GRShEXCQ82P4IITT Q4z513p1e0mscDdBIunH6aThNCJA9rUBwEVX90HX5KHaOPSksHISylhjl/++XJFy /0wBpiZ4+7pN2S/go9J8A153NZSPhF2M5deyWgjT/K2LSudLnegIlRFTq1Kv89eE bF/ZaHuNvakbqQIDAQABo4IB5DCCAeAwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAw HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBRmWkIAb3Vr zkTtELxvwSx4nngcUDAfBgNVHSMEGDAWgBSwwbtoNX/i1kGcGnGv4PxBNM3DqDAi BgNVHREEGzAZgRdlaEBzZnMudW5pLXR1ZWJpbmdlbi5kZTCBkwYDVR0fBIGLMIGI MEKgQKA+hjxodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2NsYXNzaWMtdW5pdHVlLWNh L3B1Yi9jcmwvZ19jYWNybC5jcmwwQqBAoD6GPGh0dHA6Ly9jZHAyLnBjYS5kZm4u ZGUvY2xhc3NpYy11bml0dWUtY2EvcHViL2NybC9nX2NhY3JsLmNybDCBrAYIKwYB BQUHAQEEgZ8wgZwwTAYIKwYBBQUHMAKGQGh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUv Y2xhc3NpYy11bml0dWUtY2EvcHViL2NhY2VydC9nX2NhY2VydC5jcnQwTAYIKwYB BQUHMAKGQGh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvY2xhc3NpYy11bml0dWUtY2Ev cHViL2NhY2VydC9nX2NhY2VydC5jcnQwDQYJKoZIhvcNAQEFBQADggEBAGxJyokA uUwUFzvszzutQNicSlWWHmrB6g63cRkbgBMsNGFwIyhrizCJtPYTDAbJ1lG2PrYj YpbhHR4892JIAm1IkyR4sJvAKXgnzNHtTy1ZTmlP7BjekPb6pcSRWAra84A+bOWY +Q3KRITfEcUfsFw/PWYO8qwDurTWGBK3ReWkwLJ9y89XZDXQZt4A9RQnnBvnC7RU kLkAmxRV27neEuG8eh0tuFXStHuLbClnNnHaAt1c8m2awjWCWShG5cTR99muSJTc NGifdwt0qWax50ASplgOtT/GZAw2E7HEEgbDA+6JcKpVlh+UMnk2JN+nkkKUjgnD wN2yHSwHNNMiiGY= ‐‐‐‐‐END CERTIFICATE‐‐‐‐‐
Konferenz XYZ, 1.1.2012, Ort
Tübingen Software Environment
• Shibboleth Version 2.x • Apache 2: • mod_ssl, shib2 enabled
• DFN tutorial: • https://www.aai.dfn.de/dokumentation/service-
provider/
6
Konferenz XYZ, 1.1.2012, Ort
Configuration
• Virtual host in Apache (SSL): <Directory /var/www/login_s/> AuthType shibboleth ShibRequireSession On Require valid-user </Directory> -> https://weblicht.sfs.uni-tuebingen.de/login_s/
• Shibboleth configuration: • /etc/shibboleth/shibboleth2.xml
7
Konferenz XYZ, 1.1.2012, Ort
Local Authentification
• In addition to the Shibboleth login, there is another login way which makes use of the local Apache user management
• Its necessary because many CLARIN users don't have an account in the CLARIN identity federation
9
Konferenz XYZ, 1.1.2012, Ort
PHP: Display all server based variables
<? $email = $_SERVER["eppn"]; echo "Wer bin ich: $email"; echo '<table border="1">'; foreach($_SERVER as $k => $v) { echo '<tr><td>'.$k.'</td><td>'.$v.'</td></tr>'; } echo '</table>'; ?>
10
Konferenz XYZ, 1.1.2012, Ort
SAML Tracer
• SAML Tracer is an addon for Firefox: • https://
addons.mozilla.org/en-US/firefox/addon/saml-tracer/
11
Konferenz XYZ, 1.1.2012, Ort
Conclusion
• The computing center in Tübingen was very helpful
• Also the people from the DFN AAI – join the mailing lists!
12
Konferenz XYZ, 1.1.2012, Ort
Conclusion
• Attributes: it is not sure which attributes a SP gets from the IDPs
• Next step: secure web services and delegation
13
Konferenz XYZ, 1.1.2012, Ort
Delegated Authentication with Shibboleth
• Delegated authentication model among SAML-enabled services since Shibboleth v2.1.3: • uses SAML2.0 Enhanced Client profile (ECP)
for delegation • multi-tier delegation possible
14
Konferenz XYZ, 1.1.2012, Ort
• Use case for WebLicht: • App1, WS2, WS3, WS4 are all protected with
Shibboleth within Clarin federation • App1 - WebLicht web application for chaining
NLP tools • WS2 - tokenizer from Uni 2 • WS3 - tagger from Uni 3 • WS4 - resources from Uni 4 used by WS3 for
tagging
15
Konferenz XYZ, 1.1.2012, Ort
• recognize both the original client App1/WS3 and the subject (user) and the fact that "delegate" client is accessing it on behalf of that subject
• as a result know that the user is signed-in and know the user identity
• can control or limit access of the user based on the user (and optionally the client) identity
• can apply internal authorization based on the user identity
16
User App1 WS2
WS3 WS4
Konferenz XYZ, 1.1.2012, Ort
• Complications: • Shibboleth above v2.1.3 is required • requires additional relatively complicated • configuration for all the participating parties: • for IdP, for SPs that can delegate, for SPs that
accept delegation • not possible to specify that delegation from all SPs
to all SPs is allowed • I.e. each web service should know and specify in
advance which other web service it can access, and by which other web service it can be accessed
17
Konferenz XYZ, 1.1.2012, Ort
• What is possible with Shibboleth at the moment:
18
Free
Academic Community
Other restrictions / licenses
Konferenz XYZ, 1.1.2012, Ort
Shibboleth & Tomcat
• There are some third-partie libraries which allow to integrate Shibboleth directly into Tomcat • But: They are not official, there could be
problems with versions, security etc.
• Solution: use an Apache HTTPD for the Shibboleth functionality and put Tomcat behind it, accessing Tomcat via mod_proxy_ajp
19
Konferenz XYZ, 1.1.2012, Ort
• Apache HTTPD runs on port 443 with SSL: • https://myserver.de/
• Tomcat runs on localhost on port 8080 (or another one): • http://localhost:8080/myapplication
• With the proxy: • https://myserver.de/myapplication
20