shibboleth working group, fall 2010 scott cantor, osu chad lajoie, itumi, llc
DESCRIPTION
Committed Work Necessary/expected ongoing functions Funded/staffed projects Planned Work Accepted for prioritization but uncommitted Under Discussion Rejected/Parked Work Lacking in some regard Subject to re-evaluation when circumstances change 3TRANSCRIPT
![Page 1: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/1.jpg)
Shibboleth Working Group, Fall 2010
Scott Cantor, OSUChad LaJoie, Itumi, LLC
![Page 2: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/2.jpg)
Roadmap
![Page 3: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/3.jpg)
Roadmap• Committed Work
• Necessary/expected ongoing functions
• Funded/staffed projects
• Planned Work• Accepted for prioritization but uncommitted
• Under Discussion
• Rejected/Parked Work• Lacking in some regard
• Subject to re-evaluation when circumstances change
3
![Page 4: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/4.jpg)
Committed• Project Overhead
• User Support
• Supported Release Maintenance
• SP 2.4
• “Embedded” Discovery Service
• Metadata Aggregator
4
![Page 5: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/5.jpg)
Planned• Expanded introductory documentation
• V3 IdP / OpenSAML-J
• V2 Discovery Service
• V3 TestShib
• Back-channel Single Logout for the IdP
• Second Factor Authentication via SMS
• SP Delegation Enhancement (deferred from 2.4)
5
![Page 6: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/6.jpg)
Service Provider
![Page 7: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/7.jpg)
Service Provider V2.4• Release Candidate now available
• Minor feature update / bug fix rollup
• Backward compatible per usual
• Simplified configuration/defaults
• Metadata- and discovery-related enhancements
• Security changes
• Logging/monitoring changes
7
![Page 8: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/8.jpg)
Configuration• https://spaces.internet2.edu/x/fIk9
• “Radical” defaulting of rarely-changed settings
• Reduction of order strictness
• Factored security policy rules into separate file
• Consistent message regarding Apache configuration via Apache commands
• Shorthand syntax for configuring “most” SSO/Logout needs
• 260+ lines to 120 lines8
![Page 9: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/9.jpg)
Metadata• Background reloading of configuration /
metadata resources
• Caching (incl. across restarts) and compression
• Delays backup overwrite until filtering completes
• Rational cacheDuration handling
• Support for extension drafts:• http://wiki.oasis-open.org/security/SAML2MetadataUI
• http://wiki.oasis-open.org/security/SAML2MetadataAlgSupport
9
![Page 10: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/10.jpg)
Discovery• Supporting role; provide a “usable” view of
IdP information extracted from metadata to discovery component
• Supplies JSON data from each metadata source• Name/description/logo derived from
<mdui:UIInfo> metadata extension
• New handler aggregates and serves JSON to client
• Discovery scripts may or may not be in 2.4 release, probably not
10
![Page 11: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/11.jpg)
Security• Update/bug fix release of xml-security library
• Whitelisting/blacklisting of crypto algorithms at “application” level
• Conditional support of ECDSA signatures
• Dynamic selection of algorithms based on metadata extension:• <alg:DigestMethod>
• <alg:SigningMethod>
• <md:EncryptionMethod>
11
![Page 12: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/12.jpg)
Logging / Monitoring• New default logging configuration:
• Mirrors WARN and higher to a warning log to highlight problems
• Dedicated debugging log for signature issues
• Status handler includes local system time and OS-derived platform data
12
![Page 13: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/13.jpg)
Discovery Service
![Page 14: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/14.jpg)
DS: Embedded• Make discovery easier for SPs to deploy
• Consumes data from SP 2.4
• Added to a page by:• adding a <div>
• adding two <script>
• Beta release in November
https://spaces.internet2.edu/display/SHIB2/DSRoadmap
![Page 15: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/15.jpg)
DS: Centralized• Use embedded DS as primary UI
• Better APIs for filtering and sorting
• Configuration more aligned with IdP
• Distributed with configured container
![Page 16: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/16.jpg)
Identity Provider
![Page 17: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/17.jpg)
Identity Provider• Profile handlers to accommodate more in-flow
extensions• e.g. terms of use, attribute consent, holder of key
support
• Rework authentication APIs• better support for non-browser clients
• support for SPNEGO, OTP
https://spaces.internet2.edu/display/SHIB2/IdPRoadmap
![Page 18: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/18.jpg)
Identity Provider• Reduced configuration files
• Support for <md:EncryptionMethod>
• HA-Shib like clustering:• reduced configuration
• no process to manage & monitor
• provides a clustered data store
https://spaces.internet2.edu/display/SHIB2/IdPSimplifyConfig
![Page 19: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/19.jpg)
SPNEGO
![Page 20: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/20.jpg)
What is SPNEGO• Log in to Kerberos/Windows domain
• No need to log in to websites
![Page 21: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/21.jpg)
Why is it hard?
![Page 22: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/22.jpg)
Why is it hard?• 403 error page if SPNEGO not configured or
user not logged in to domain
• No way to query the browser to determine if SPNEGO is configured
• Nothing a user can do once they get a 403
![Page 23: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/23.jpg)
How do we fix it?• Provide users a choice to log in with SPNEGO
• Provide a link to a separate app that:• checks if a browser is configured
• provides browser specific config guides
• sets a permanent cookie if user/browser can’t support SPNEGO
![Page 24: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/24.jpg)
How do we fix it?
![Page 25: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/25.jpg)
One Time Password
![Page 26: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/26.jpg)
Why?• Certain use cases want multi-factor authn
• User certs and time sync tokens are hard and expensive to roll out
![Page 27: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/27.jpg)
How?1. User logs in2. SMS with one-time code sent3. User enters it in the IdP
• Google recently deployed a similar scheme
![Page 28: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/28.jpg)
![Page 29: Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC](https://reader036.vdocuments.mx/reader036/viewer/2022062317/5a4d1bbb7f8b9ab0599d0cad/html5/thumbnails/29.jpg)
Technical Details• Requires two log in screens as user has to be
identified (by first factor) in order to know to whom to send the SMS
• Sites deploying will need to provide a way for users to opt-in in to such a method
• Might need to send a few tokens to users ahead of time in case they don’t have cell access