UK e-Science All Hands Meeting, September 2007 The GLASS Project: Supporting Secure Shibboleth-based...
-
Upload
beverly-gaines -
Category
Documents
-
view
212 -
download
0
Transcript of UK e-Science All Hands Meeting, September 2007 The GLASS Project: Supporting Secure Shibboleth-based...
UK e-Science All Hands Meeting, September 2007
The GLASS Project: Supporting Secure Shibboleth-based Single Sign-On to Campus Resources
John Watt ( [email protected] )Richard Sinnott ( [email protected] ), Jipu Jiang
University of Glasgow, Scotland, UK
UK e-Science All Hands Meeting, September 2007
“Implementing Single Sign-On and VO Management in e-Health and e-Learning domains at Glasgow using Shibboleth”
• 1 year JISC project (Dec ’05 – Dec ’06)• In partnership with NHS Scotland
http://www.nesc.ac.uk/hub/projects/glass
GLASgow early adoption of Shibboleth
UK e-Science All Hands Meeting, September 2007
Federated Trust
Local authentication infrastructures are vitale.g. Campus student directories
Support existing infrastructures (e.g. registration, human resources)– Will normally have enrolled IN PERSON at the institution
» With standard identity (birth certificate, exam results)
– Will be (reasonably) well known by local staff
Also the Regional Operators for a CA Required decentralisation of credential verification due to travel/time
restrictions– National CA would be impossible without this
Remote authentication information will always be out of date
Don’t want to have to learn lots of usernames/passwords
UK e-Science All Hands Meeting, September 2007
Federated Trust
The best entity to authenticate a person is their home institution/company
Info will be up to dateThey will always know a person better than a remote siteRemote site may not know if user is still valid or not
Can we utilise a user’s home credentials to access remote resources?
UK e-Science All Hands Meeting, September 2007
Campus Authentication
Novell NSureUnified account management system at University of GlasgowCentral authentication method for campusSystem may be queried through LDAP connectionProduction system!
Custom schema– Standard object classes + Novell definitions
NOTE:– ‘uid’ attribute is guaranteed unique for every user on
system– So we can use this as a database linking attribute
» could come in handy…
UK e-Science All Hands Meeting, September 2007
Federated Authentication system using SAML for secure conversationEnables Single-Sign On to Web Pages and PortalsAuthentication is done by the user’s home institution
Identity Provider (Origin)
Authorisation (and access) is done by the resource
Service Provider (Target)
UK e-Science All Hands Meeting, September 2007
User Grid Portal
Home Institution
Service ProviderIdentity Provider
WAYF
Application
FederationAuthz
UK e-Science All Hands Meeting, September 2007
User Grid Portal
Home Institution
WAYF
Application
FederationAuthz
Point browser to portal
UK e-Science All Hands Meeting, September 2007
User Grid Portal
Home Institution
Service ProviderIdentity Provider
WAYF
Application
FederationAuthz
Shibboleth redirects userto W.A.Y.F service
UK e-Science All Hands Meeting, September 2007
User Grid Portal
Home Institution
Service ProviderIdentity Provider
WAYF
Application
FederationAuthz
User selects theirhome institution
UK e-Science All Hands Meeting, September 2007
User Grid Portal
Home Institution
Service ProviderIdentity Provider
WAYF
Application
FederationAuthz
AUTHENTICATE
Home confirms userID in local LDAP andpushes attributes tothe service provider
LDAP
UK e-Science All Hands Meeting, September 2007
User Grid Portal
Home Institution
Service ProviderIdentity Provider
WAYF
Application
FederationAuthz
Portal logs user in andpresents attributesto authorisation function
UK e-Science All Hands Meeting, September 2007
User Grid Portal
Home Institution
Service ProviderIdentity Provider
WAYF
Application
FederationAuthz
AUTHORISEPortal passes
attributesto AuthZ function tomake final accesscontrol decision
UK e-Science All Hands Meeting, September 2007
Identity Providers
Identity Providers assert:The authenticity of the user
IdPs in a federation TRUST each others authentication assertions– IdP guarantees the user is who they say they are– Enforced by federation policy
Shibboleth requires external apps to actually do the authentication– SAML provides the transport mechanism for this assertion
The privileges of the user SAML Attributes carry extra information about this user which can
be used by external resources to make access control decisions– These attributes need to be negotiated between IdPs and SPs– However a standard framework exists which SPs may adopt to
enhance interoperability…
UK e-Science All Hands Meeting, September 2007
eduPerson
An LDAP object class which defines widely-used attributes relevant to higher educationAdopted by Shibboleth and the UK Access Management Federation.
eduPersonAffiliation Standard attribute definition (student, staff, affiliate)
eduPersonPrincipalName May be disabled for anonymous access
eduPersonTargetedID Persistent non-identifying… identifier
eduPersonEntitlement Custom attribute for carrying user privileges
UK e-Science All Hands Meeting, September 2007
eduPerson
Campus opinion of effect of adoption of eduPerson schema…
UK e-Science All Hands Meeting, September 2007
Towards a Solution…
Basic Shibboleth IdP configuration
IdP
SP AuthN request
AuthN?
y/n y/n to SP
SP AuthZ requestAtts?
Atts. Atts to SP
eduPerson not supported
User Directory
UK e-Science All Hands Meeting, September 2007
Multiple Attribute Authorities
IdP
SP AuthN requestAuthN?
y/n y/n to SP
SP AuthZ requestAtts?
Atts.
Atts to SP
User Directory
Atts?
Atts.
Dept. A
Dept. B
User entries linked
through unique
‘uid’ attribute
eduPerson can be adopted at departmental level
UK e-Science All Hands Meeting, September 2007
The Techie Bit…
Multiple attribute authorities implemented through additional JNDI connectors in resolver.ldap.xml
Must set ‘noResultIsError’ to ‘false’ Prevents an error being thrown if a user is not found in a
database Needed because a user is not normally a member of EVERY
department!
Must set ‘propagateErrors’ flag to ‘false’ Stops any errors from halting query of multiple LDAPs
Attribute connectors state which directories they will search
UK e-Science All Hands Meeting, September 2007
Specific Services
University of Glasgow is now offering many online services for its students
Some involve manipulation or extraction of sensitive personal dataMost involve insecure (often cleartext) user information to be moved aboutNearly all require:
Username and password to be entered each visit (even within the same browser session)
– Is also possible that DIFFERENT usernames and passwords may be needed
Pre-registration for staff and non-students
UK e-Science All Hands Meeting, September 2007
GLASS Project
Unifying Uni. Resources under Shibboleth utilising the NSure Directory Service
SSO, Secure Attributes…
WebMAIL
UK e-Science All Hands Meeting, September 2007
Moodle is an online course management system
A Virtual Learning Environment (VLE) which allows educators to create online learning communities
As of August 2006 15,768 registered sites in 163 countries (1241 in UK alone) 581,984 courses 6,033,505 users
Individual site Moodle(s) can be very different Different sites may require different user information to create a
session
UK e-Science All Hands Meeting, September 2007
University of Glasgow MoodleUtilises the central campus LDAP serverRequires the following entries for a user session
uid, givenName, fullName, mail, sn (Uni. Of Glasgow Computing Services (CS) requirements)
Entries usually retrieved through generic moduleA Shibboleth Authentication module is available
Extracts the correct attributes from the HTTP_SHIB_ATTRIBUTES header provided by Shibboleth Service Provider
“Pure Shibboleth” login, or multiple login types– CS prefer the latter, more flexible
» Cost is user must specifically request a Shibboleth session on first visit.
UK e-Science All Hands Meeting, September 2007
WebSURF is an online service for manipulation and retrieval of personal details
Student Services Course registration/options Access to personal exam results Updating personal details
– Address, Tel. No.
Staff Services View student records Update course information
WebSURF is authored by Glasgow University
UK e-Science All Hands Meeting, September 2007
GLASS
MoodleMoodle ships with a Shibboleth authentication moduleRequires configuration…
Shibboleth SP provides the 5 attributes in an HTTP header (HTTP_SHIB_ATTRIBUTES)
Each individual attribute is extracted using a CGI type header– HTTP_UID– HTTP_SHIBINETORG_SURNAME– HTTP_GIVENNAME– Etc
Moodle forms a local username (if it doesn’t already exist)
UK e-Science All Hands Meeting, September 2007
GLASS
WebSURFMuch more complicated!WebSURF is a J2EE application which runs in a JBoss containerAuthentication is done with the generic JAAS module
Shibboleth may interface with JBoss applications through the SPIE-JAAS module which takes the place of the generic JAAShttp://spie.oucs.ox.ac.uk
UK e-Science All Hands Meeting, September 2007
GLASS
BrainITUsing Shibboleth to provide sensitive clinical data to a Grid portal from an NHS databaseSP needs to host GridSphere, so a Tomcat/ajp_proxy setup is required
Have SSL enabled this portal as data is particularly sensitive
eduPersonEntitlement used as the attribute required for access to portal
Different attributes correspond to different available parameters to query
– brainIT_nurse – low privilege (e.g. DOB/Sex)– brainIT_investigator – high privilege (e.g. postcode, illness
specifics)
UK e-Science All Hands Meeting, September 2007
Summary
GLASS infrastructure is basis for all Shibboleth-based projects at Glasgow
e.g. EPSRC nanoCMOS project Centralised authentication from NSure LDAP Departmental Attribute Authorities at National e-Science
Centre and Department of Electronics and Electrical Engineering
– Each department controls the attributes required for access to their own service
– LDAP directories linked using unique ‘uid’ attribute
Experience gained in interfacing with new technologies (MediaWiki)Informs new Shibboleth based projects with other collaborators (e.g. SEE-GEO)