shibboleth identity provider version 3 iam online march 11, 2015 scott cantor, shibboleth...
TRANSCRIPT
![Page 1: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/1.jpg)
Shibboleth Identity Provider Version 3
IAM OnlineMarch 11, 2015
Scott Cantor, Shibboleth Development Team
Marvin Addison, Shibboleth Development Team
Tom Barton, University of Chicago and InCommon TAC
![Page 2: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/2.jpg)
The first, and foremost, achievement of the Internet2 Middleware Initiative
Federation technology built on SAML is changing our world
SAML was declared dead before Shib was developed
Revived by Bob Morgan, powered by Scott Cantor
Interfederation is happening, providing the base on which an access management decision can be effective anywhere in the world
Shib IdP v3 is the best tool to manage your organization’s integration with the global access management fabric
2
![Page 3: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/3.jpg)
ShibbolethIdentity ProviderVersion 3
Scott CantorThe Ohio State
University
Marvin AddisonVirginia Tech
![Page 4: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/4.jpg)
A Bit of History• Version 1 – 2003 – 2008
• SAML 1, inventing a lot of concepts on the fly
• Version 2 – 2008 – 2015• SAML 2, harmonizing two protocols
• Version 3 – 2015 - ?• Focus on design, deployability, and sustainability
over features
4
![Page 5: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/5.jpg)
Why Upgrade?• Compelling reasons for you
• Easier UI and login customization, error handling, simpler clustering, attribute release consent, easier handling of vendor quirks, much improved update process, CAS protocol support
• Compelling reasons for us• Up to date library stack, much easier to deliver
future enhancements, V2 maintenance is a drain on limited resources
• A practical reason• V2 maintenance and user support is very finite;
you don't have to upgrade, but you can't stay here
5
![Page 6: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/6.jpg)
User Interface• Leverages "views" from Spring Web Flow
• Views can be Velocity templates, JSP pages, potentially others
• Most views are Velocity by default so they can be modified on the fly, including example login/logout/error templates
• Spring message properties• Reusable macros across views (e.g., logo paths,
titles, organization names, etc.)
• Can be internationalized to a browser's primary language
6
![Page 7: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/7.jpg)
Error Handling• WebFlow is event-driven, so most errors
are "events", e.g., "MessageReplay"
• Events can be classified by you as Local or non-Local, local meaning "don't issue a response back to requester"
• Error view(s) under your control, an example view is provided using message properties to map events into different error content
• You can reuse example, roll your own, map events to different views, etc.
7
![Page 8: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/8.jpg)
Clustering• Ding-dong, Terracotta's dead
• With one exception, all short/long-term persistent state relies on a StorageService API
• in-memory
• cookie (*)
• JPA / database
• memcache
• Web Storage (TBD)
• Defaults allow zero-effort clustering with most critical features supported
8
![Page 9: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/9.jpg)
Consent• New first-order concept: interceptor
flows• Security/policy checks run this way invisibly
• Also have “post-authentication” hook for running flows after user identified, several built-in examples
• uApprove-style attribute release consent and terms of use flows (former is on by default on new installs), has an enhanced mode of approving each attribute individually
• Context-checking flow that can halt processing if expected conditions aren’t met, such as attributes or specific values available
9
![Page 10: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/10.jpg)
Vendor Quirks• Common use cases for integrating
vendor SAML implementations are easier and less invasive
• Security settings like digest algorithms can finally be overridden per-SP or group of SPs
• Assertion Encryption can be made “optional” so it turns on whenever possible and off when not (based on metadata)
• Setting up custom NameID formats in a dedicated place
• Attaching custom SAML encoder rules to attribute definitions and limiting them to specific SPs
10
![Page 11: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/11.jpg)
Safe Upgrades• Simpler, safer, robust upgrade process:
• Review release notes
• Stop service
• Unpack, install over top
• Rebuild warfile to add back local changes
• Start service
• Clearly delineated “system” and “user” config files
• Local warfile overlay to prevent losing webapp changes or additions
• On Windows, Jetty can be installed and managed for you in simple deployments, Unix TBD
11
![Page 12: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/12.jpg)
CAS Protocol• Major technical goal for redesign was to
facilitate non-SAML / non-XML protocol integration
• CAS was a natural candidate to work on and help prove out the design
12
![Page 13: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/13.jpg)
Speaking with Developer “Hat”
● CAS application developer since ≈ 2005
● CAS server committer since ≈ 2010
● CAS server module lead (LDAP, X.509)
● Occasional CAS server release engineer
● Middleware contributed to a number of CAS clients (Java, .NET, mod_auth_cas)
13
![Page 14: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/14.jpg)
IdP+CAS Background● Virginia Tech has both CAS and
Shibboletho Both are essential 24x7 99.98 systems
o One FTE for development and support of both
● Rumors of IdPv3 multi-protocol support
● Approach Shib dev team with proposalo CAS protocol support deemed feasible
o VT contributes feature to ship with IdP 3.0
● One system to rule them all
14
![Page 15: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/15.jpg)
Protocol Design Goals● Provide essential features of CAS protocol
o Renew+gateway
o Proxy (PGT/PT)
o Attribute release
o Logout/Single Logout (SLO)
● Drop-in compatibility with popular CAS clients
● Leverage IdPv3 design for new capabilities
15
![Page 16: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/16.jpg)
Protocol Status● CAS protocol v2 compliant
o With attribute release “extension”
o Without logout support
● CAS-flavored SAML 1.1
● Logout w/SLO slated for IdP 3.2.0
● Beta statuso Apache, Java, .NET, and PHP clients tested
o VT production deployment planned
o Evaluators needed
16
![Page 17: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/17.jpg)
Protocol Requirements
● Server-side IdP storageo MemoryStorageService
o MemcachedStorageService
o JPAStorageService
● Configure metadata for relying partieso Service registry is familiar facility
o CAS analogue of SAML metadata
● (Optional) Proxy trust configuration
17
![Page 18: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/18.jpg)
Switching gears…
18
![Page 19: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/19.jpg)
Speaking with Deployer “Hat”
● Virginia Tech adopted CAS circa 2003
● Virginia Tech adopted Shib circa 2006
● CAS gets the majority of resources
● Our IdPv2 infrastructure needs some love
● We have considered consolidating on a single SSO platform for years
● Attribute release policy is a pain
19
![Page 20: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/20.jpg)
Compelling Reasons to Upgrade
● Consent engine solves policy headaches
● SSO platform consolidation● Enhanced system architecture
● Improved security policy machinery
20
![Page 21: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/21.jpg)
Consent: #1 Driver for V3
21
![Page 22: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/22.jpg)
Business Case for Consent
● User consent solves FERPA morass
● Accelerates service integrationo Presently >30 days on average
o Target <7 days on average
o Friction-free integration with InC R&S services
● Simplifies attribute release policy
● Improves R&S compliance
● CAS ecosystem benefits as well
22
![Page 23: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/23.jpg)
Consolidate and Save● Time
● Money
● Headaches
If you are a CAS+Shib school like Virginia Tech, there’s an obvious case to be made for a single SSO service at your school.
23
![Page 24: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/24.jpg)
Current SSO
24
● Two separate but integrated systems
● 2n everything○ Development○ Patches○ Policy**
● Complexity is the enemy
![Page 25: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/25.jpg)
Ideal SSO
25
● One system, two protocols
● Obvious Cost Benefits
● Capabilities++● Consent● Attribute engine● 2-factor authn● SLO
![Page 26: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/26.jpg)
IDPv3 Does HA Better● Terracotta was never a tenable option
● New StorageService APIo More choices
o Known, capable technologies
o Fits any size deployment
26
![Page 27: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/27.jpg)
Current IdP (2.x)
Arch.
![Page 28: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/28.jpg)
Planned IdP (3.x)
Arch.
![Page 29: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/29.jpg)
Security Policy Enhancements
29
![Page 30: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/30.jpg)
Make Plans to Upgrade!
Manage through ever increasing security and trust needs SHA-1 → SHA-2 Categories/Tags Per-entity or entity group 2FA Consent
InCommon encourages you to! Updating Shib training to be v3 focused Updating wiki doc
Baseline practices, participant and federation, to be revised in light of those ever-increasing security and trust needs
30
![Page 31: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/31.jpg)
Evaluation
Please complete the evaluation of today’s webinarhttps://www.surveymonkey.com/s/IAM_Online_March_2015
31
![Page 32: Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team](https://reader036.vdocuments.mx/reader036/viewer/2022062320/56649c745503460f94926682/html5/thumbnails/32.jpg)
Upcoming Events
April 26-30 – Internet2 Global Summit, Washington, DC
October 4-7 – Technology Exchange, Cleveland, OH
More information at www.internet2.edu
32