AAI with simpleSAMLphp
Marina VermezovićAcademic Network of Serbia -AMRES
EIFL, 15.12.2011.
Content
AAI and Federated Identity
simpleSAMLphp
Federation structures
AMRES AAI deployment
Akademska mreža Srbijewww.amres.ac.rs
2
Let’s make a start point
If you want to:
You need to:
How do you do this:
Akademska mreža Srbijewww.amres.ac.rs
3
Let’s make a start point
If you want to: offer web services – e-books, e-magazines
You need to:
How do you do this:
Akademska mreža Srbijewww.amres.ac.rs
4
Let’s make a start point
If you want to: offer web services – e-books, e-magazines
You need to:Control access to those web services Make services user personalized
How do you do this:
Akademska mreža Srbijewww.amres.ac.rs
5
Let’s make a start point
If you want to: offer web services – e-books, e-magazines
You need to:Control access to those web services Make services user personalized
How do you do this:Authentication - who is your user? Authorization - what she can do?AAI - Authentication and authorization infrastructure makes access to protected services easier
Akademska mreža Srbijewww.amres.ac.rs
6
Without AAI
Akademska mreža Srbijewww.amres.ac.rs
wireless
Faculty A
Service Providers
Library B
Service Providers
videoconference
e-learning
Student portal
wireless
e-books
7
Without AAI
Akademska mreža Srbijewww.amres.ac.rs
wireless
Faculty A
Service Providers
Library B
Service Providers
Auth
videoconference
e-learning
Student portal
wireless
e-books
8
Without AAI
Akademska mreža Srbijewww.amres.ac.rs
wireless
Faculty A
Service Providers
Library B
Service Providers
Auth Autz
videoconference
e-learning
Student portal
wireless
e-books
9
Without AAI
Akademska mreža Srbijewww.amres.ac.rs
wireless
Faculty A
Service Providers
Library B
Service Providers
Auth Autz
videoconferenceAuth Autz
e-learning
Student portal
wireless
e-books
10
Without AAI
Akademska mreža Srbijewww.amres.ac.rs
wireless
Faculty A
Service Providers
Library B
Service Providers
Auth Autz
videoconferenceAuth Autz
e-learningAuth Autz
Student portalAuth Autz
wirelessAuth Autz
e-booksAuth Autz
11
With AAI
Akademska mreža Srbijewww.amres.ac.rs
Faculty A
wireless
Service Providers
videoconference
e-learning
Student portal
Library
wireless
Service Providers
e-books
With AAI
Akademska mreža Srbijewww.amres.ac.rs
Faculty A
Identity Management
wireless
Identity provider
Service Providers
videoconference
e-learning
Student portal
Library
wireless
Service Providers
e-books
With AAI
Akademska mreža Srbijewww.amres.ac.rs
Faculty A
Identity Management
wireless
Identity provider
Service Providers
videoconference
e-learning
Student portal
Auth
Library
wireless
Service Providers
e-books
With AAI
Akademska mreža Srbijewww.amres.ac.rs
Faculty A
Identity Management
wireless
Identity provider
Service Providers
videoconference
e-learning
Student portal
Auth
Library
wireless
Service Providers
e-books
With AAI
Akademska mreža Srbijewww.amres.ac.rs
Faculty A
Identity Management
wireless
Identity provider
Service Providers
videoconference
e-learning
Student portal
Auth
Library
wireless
Service Providers
e-books
AutzAutz
AutzAutz
AutzAutz
AutzAutz
AutzAutz
AutzAutz
AAI Architecture and Roles
Akademska mreža Srbijewww.amres.ac.rs
Identity Provider
Service Provider
Federation operator
AAI Architecture and Roles
Akademska mreža Srbijewww.amres.ac.rs
Identity Provider
Service Provider
Federation operator
• Identity Management• Authentication• Release of user
Attributes• Preserving user privacy
AAI Architecture and Roles
Akademska mreža Srbijewww.amres.ac.rs
Identity Provider
Service Provider
Federation operator
• Identity Management• Authentication• Release of user
Attributes• Preserving user privacy
• Controls Access to resource
• Authorization• Personalized user
service
AAI Architecture and Roles
Akademska mreža Srbijewww.amres.ac.rs
Identity Provider
Service Provider
Federation operator
• Defines technologies used• Admits IdPs and SPs to federation –provides
metadata• Can provide some of federation services
centrally:• Discovery Service• Metadata management• SSO, SLO, consent, Attribute Handling
• Identity Management• Authentication• Release of user
Attributes• Preserving user privacy
• Controls Access to resource
• Authorization• Personalized user
service
AAI Architecture and Roles
Akademska mreža Srbijewww.amres.ac.rs
Identity Provider
Service Provider
Federation operator
CIRCLE OF TRUST
• Defines technologies used• Admits IdPs and SPs to federation –provides
metadata• Can provide some of federation services
centrally:• Discovery Service• Metadata management• SSO, SLO, consent, Attribute Handling
• Identity Management• Authentication• Release of user
Attributes• Preserving user privacy
• Controls Access to resource
• Authorization• Personalized user
service
Decide for technology and software
De-facto standard in Academic identity federations: SAMLSoftware:
ShibbolethCreated by Internet2 (U.S.)IdP: Java, needs TomcatSP: C++, Apache module
SimpleSAMLphpCreated by UNINETT (Norway)Both IdP and SP, written in PHP
Akademska mreža Srbijewww.amres.ac.rs
22
SimpleSAMLphp
What are key-point simpleSAMLphp functionalities ?
Let’s see what simpleSAMLphp can do from an example of user accessing web service..
Akademska mreža Srbijewww.amres.ac.rs
23
SP point of view.. – protect Access
Allows access to resource only to legitimate users
Akademska mreža Srbijewww.amres.ac.rs
24
SP point of view.. – IdP Discovery
Before redirecting user to its IdP, SP needs to discover what is a user’s IdPWith simpleSAMLphp you can:
Implement centralized discovery service by Federation Operator
Akademska mreža Srbijewww.amres.ac.rs
25
SP point of view.. – IdP Discovery
Before redirecting user to its IdP, SP needs to discover what is a user’s IdPWith simpleSAMLphp you can:
Implement centralized discovery service by Federation Operator Implement built-in discovery service on SP side; works by displaying IdP entries from metadata
Akademska mreža Srbijewww.amres.ac.rs
26
Idp point of view.. - Authentication
User is redirected to IdP site, where she is asked to enter u/pThus process of authentication is started
Akademska mreža Srbijewww.amres.ac.rs
27
Idp point of view.. - Authentication
When IdP gets u/p, IdP must authenticate user against some database
Authentication methods that come with simpleSAMLphp distribution:
LDAPSQLRADIUSList of username/password Open ID, Facebook, Tweeter, MySpace, LinkedIn,..…
If you don’t find your authentication source on the list, you can make custom authentication module
Akademska mreža Srbijewww.amres.ac.rs
28
Akademska mreža Srbijewww.amres.ac.rs
Idp point of view.. - Identity Management
Regardless in which database user Identities are stored, it is important that data about user is correct
IdM : set of procedures and rules which define:1. Who has the right to own digital identity2. When is digital identity assigned to a person3. How is digital identity maintained4. How is the digital identity used5. How is the digital identity terminated
Must comply with national personal data protection lawEU Data Protection Directive 29
Idp point of view.. - Attribute Release
After user is authenticated, IdP can release some attributes about user to SP
But some principles are important !
General rules: release only attributes which SP really needsrelease attributes upon pre-agreed syntax (schemas)
With simpleSAMLphp, IdP can :• Filter out a subset of available attributes that are sent
to a SP• Modify name or values of attributes• Add new attributes• Generate new attributes that are composed of others
Akademska mreža Srbijewww.amres.ac.rs
30
Idp point of view.. - Consent
Before Attribute Release, IdP can ask user about consent for releasing user ‘s data
This is very important from the perspective of national and international laws about protection of users data
EU Data Protection Directive: Consent—data should not be disclosed without the data subject’s consent;
Akademska mreža Srbijewww.amres.ac.rs
31
Idp point of view.. - Consent
Akademska mreža Srbijewww.amres.ac.rs
32
Consent module is available in simpleSAMLphp
SP point of view .. - Attribute processing
Attributes help SP to:
Make authorization decisionsStudents/employees have different permissions
Akademska mreža Srbijewww.amres.ac.rs
33
SP point of view .. - Attribute processing
Attributes help SP to:
Make authorization decisionsStudents/employees have different permissions
Make personalized services to usersSP needs persistent user Id so he can save users preferences
Akademska mreža Srbijewww.amres.ac.rs
34
SP point of view .. - Attribute processing
Attributes help SP to:
Make authorization decisionsStudents/employees have different permissions
Make personalized services to usersSP needs persistent user Id so he can save users preferences
User gets some additional serviceSP needs users e-mail address to send e-mail notifications
Akademska mreža Srbijewww.amres.ac.rs
35
Decide for Federation architecture
3 possibilities:Full meshCentralizedHub and spoke
Choosing one is very important because it heavily depends on state institutions are in..
Akademska mreža Srbijewww.amres.ac.rs
36
Institution BInstitution A
Full mesh
37
Identity Provider
Service Provider
Federation operator
Discovery service
Federation
metadata
SSO,SLO
Consent Discove
ry Service
Identity Management
Atr. Filt.
Auth
Autz
Institution BInstitution A
Full mesh
Akademska mreža Srbijewww.amres.ac.rs 38
Identity Provider
Service Provider
Federation operator
Discovery service
Federation
metadata
SSO,SLO
Consent Discove
ry Service
Identity Management
Atr. Filt.
Auth
Autz
Institution C
Identity Provider
SSO,SLO
Consent
Identity Management
Atr. Filt.
Auth
Institution D
Service Provider
Discovery
ServiceAutz
Institution BInstitution A
Hub and spoke
39
Identity Provider
Service ProviderFederation operator
Discovery service
Federation metadata
Discovery
ServiceIdentity Management
Auth
Autz
SSO,SLO
Consent
Atr. Filt.
Institution BInstitution A
Hub and spoke
40
Identity Provider
Service ProviderFederation operator
Discovery service
Federation metadata
Discovery
ServiceIdentity Management
Auth
Autz
Institution D
Service Provider
Discovery
ServiceAutzSSO,SL
O
Consent
Atr. Filt.
Institution C
Identity Provider
Identity Management
Auth
Federation operator
Institution B Institution A
Centralized
Akademska mreža Srbijewww.amres.ac.rs
41
Identity Provider
Service Provider
Discovery service
Federation metadata
SSO,SLO
Consent
Discovery
ServiceIdentity
Management
Atr. Filt.
Auth
Autz
Federation operator
Institution B Institution A
Centralized
Akademska mreža Srbijewww.amres.ac.rs
42
Identity Provider
Service Provider
Discovery service
Federation metadata
SSO,SLO
Consent
Discovery
ServiceIdentity
Management
Atr. Filt.
Auth
Autz
Institution C
Identity Management
Institution D
Service Provider
Discovery
ServiceAutz
AMRES AAI
What was our start point:Institution administrators have less knowledgeInstitutions have different databases => no centralized federationNo institution has its own SSO
We decided for: simpleSAMLphp Full-mesh with making it as much as possible lightweight: metadata management tool, attribute release recommendations, ...
Akademska mreža Srbijewww.amres.ac.rs
43
AMRES AAI
We have set-up test environmentNext steps:
Make hands-on workshop with few chosen institutions which will continue in PILOT AAIGet experiences in PILOT, evaluate chosen solution, make some changes if neededStart PRODUCTION, continue with workshopsGet /deploy new user services which would attract institutions
Akademska mreža Srbijewww.amres.ac.rs
44
Thank you for your attention
Questions ?
or write [email protected]
Akademska mreža Srbijewww.amres.ac.rs
45
Top Related