aarnet copyright 2011 network operations openconext workshop down-under enabling federated team...
TRANSCRIPT
AARNet Copyright 2011
Network Operations
OpenConext WorkshopDown-Under
Enabling Federated Team Management,
Group-Aware SPs, and SP Shop-Fronts
Neil Witheridge, AARNetAuthentication & Authorisation Services Technical Manager
25th October 2013
Session 1: Hands-On #1
AARNet Copyright 2011
Hands-On #1 Topics• Workshop Environment (description of VMs)
• Recap: OpenConext Architecture• SAML Proxy Deployment Scenarios
• OpenConext Installation (demo default installed components)
• OpenConext Components (in detail)
• OpenConext Administration (default admin user account, demo adding users)
• Identity Provider Integration (hands on with instructions)
• Service Provider Integration (hands on with instructions)
2
AARNet Copyright 2011
Hands-On #1 TopicsCont’d
• Groups/Teams Management (hands-on: team creation & population)
• API Playground (hands-on: group information requests)
• OAuth, OpenSocial API and VOOT (technical detail)
• Preview Session3: Hands-On #2
3
Non-third-party-sourced content is under the Creative Commons “Attribution 3.0 Unported” license. This means that you are permitted to freely copy, distribute, display, present, or perform material on the wiki, and create derivative works from it, for either commercial or non-commercial purposes.
Workshop Environment
Hands-On #1
AARNet Copyright 2011
5
VM Setup• VM Environment
– predetermined server names and IP addresses, certificates etc)– ocshopnn.tnd.aarnet.edu.au , ocidpnn.tnd…, ocspnn…
• Accessing VMs via “ssh –X” (you need to have a ssh client on your laptop)
• Network Configuration (see notebook for detailed instructions)– IP Addresses– Aliases– Configure Login via ssh public key
Password for initial login, see white-board
Hands-On #1
AARNet Copyright 2011
6
Environment Diagram• Networking
Hands-On #1
Recap: OpenConext Architecture
Hands-On #1
AARNet Copyright 2011
8
OpenConext Architecture Hands-On #1
Source: http://www.internet2.edu/products-services/trust-identity-middleware/grouper/
AARNet Copyright 2011
9
SAML Proxy + Group Proxy Hands-On #1
SAML Proxy Deployment Scenarios
Hands-On #1
AARNet Copyright 2011
11
Fed IdPs, Conext SPs• Federation IdPs, OpenConext SPs (straight forward policy compliance)
Hands-On #1
AARNet Copyright 2011
12
Add Conext Only IdPs• Becomes a little more ‘iffy’ from policy perspective
Hands-On #1
AARNet Copyright 2011
13
Nat Fed + Conext SP• SP B, National Federation SP, can access Group Information
Hands-On #1
OpenConext Installation(~10 mins)
Hands-On #1
AARNet Copyright 2011
15
OpenConext Installation• https://github.com/OpenConext/OpenConext-vm
– Already downloaded• Execution of installation Script • Pre-requisite - Certificates• Quick examination of the installation script
– Setup– Dependencies– Components– Post Installation (e.g. database)
• OpenConext Files installed (including source code)
• What can go wrong & How to start again
Hands-On #1
AARNet Copyright 2011
16
What’s running?• View processes running: ps –ax
– grep httpd (ls /etc/httpd/conf.d)– grep tomcat (ls /var/lib/tomcat6/webapps)– grep shibd (ls /etc/shibboleth)– grep slapd (view using Apache Directory Studio)– grep mysqld (vi /etc/my.ini ; mysql –u root –p)
• Certificates (openssl x509 –in /etc/httpd/keys/openconext.pem)
• Database and LDAP Structure and Contents• Default admin account
– Use of Mujina to login as admin• http://ocshopnn.tnd.aarnet.edu.au
– Note: use Firefox, add developer extensions, create bookmarks, delete session shift+10 ecs
Hands-On #1
AARNet Copyright 2011
17
Adding Users to Mujina IdP • Mujina IdP is provided for development and initial deployment
– Default administrative user• Adding users to Mujina
– REST interface– ocshop$ cat `which addjane`
• New developments in Mujina– Multiple Users– Persistence
• Mujina SP (another handy tool)
– See ServiceRegistry list of SPs (integrated in default installation)– https://mujina-sp.shopfront.aarnet.edu.au/
Hands-On #1
OpenConext Components
Hands-On #1
AARNet Copyright 2011
19
OpenConext Components• Logical Architecture
– SAML Proxy (EngineBlock – Mujina IdP and SP built-in, see ServiceRegistry)– Group Proxy (API – Grouper built-in, see Manage)
• Components– Engine & Profile– ServiceRegistry– API & API Playground– Manage– Teams– Grouper– Mujina IdP and SP
Hands-On #1
AARNet Copyright 2011
20
OpenConext Components• Server components making up OpenConext
– Mix of Java servlets running under Tomcat, PHP & Zend, JavaScript …
Hands-On #1
AARNet Copyright 2011
21
EngineBlock• Engine (SAML Proxy)
– Based on Corto (originally developed by WAYF, Denmark)• https://sites.google.com/site/cortopages/
– SAML2.0 (WebSSO profile, saml2int.org) compliant authentication proxy – Features ( from https://wiki.surfnet.nl/pages/viewpage.action?pageId=14713446 )
• Proxy SP and IdP SAML assertions• Relies on metadata management by Service Registry• Discovery service for proxied IdPs• Attribute management, user Consent & ACLs for privacy and authorisation• Entity Metadata Generation• Includes “Profile” service allowing for user account view & basic management
• Explorecd /etc/httpd/conf.d ; grep engine * -lcat engine.conf engine-internal.conf profile.conf ssl.conf vomanage.confcd /opt/www/OpenConext-engineblock ; find . | grep \.php
Hands-On #1
Source: https://sites.google.com/site/cortopages/
AARNet Copyright 2011
22
ServiceRegistry• ServiceRegistry (SAML metadata management)
– Uses “JANUS” (developed by WAYF, Denmark)• http://code.google.com/p/janus-ssp/
– web-based registry for SAML2 SP & IdP metadata, ARP, ACL information – Features
• Protected SP (requires SAML authentication)• Attribute Release Policies for Services• Configurable User Consent for IdPs• Attribute Manipulation (PHP scripted)• Configuration versioning and multiple entity states (test, prod)• Extensible metadata schema to non-SAML metadata (e.g. group related metadata)
• Explorecd /etc/httpd/conf.d ; cat serviceregistry.confcd /opt/www/OpenConext-serviceregistry ; find . | grep \.php
Hands-On #1
Source: https://code.google.com/p/janus-ssp/
AARNet Copyright 2011
23
API• OpenSocial/VOOT API (Group Proxy)
– Java (developed by SURFnet)
– Features– Allows for the exchange of person and group info using standardized REST AP– implements a partial OpenSocial Container implementation
• People and Group REST API calls (extended with the VOOT protocol)– authorization uses Oauth v2 (preferred) and optionally OAuth v1 (deprecated, legacy)– The API supports three calls:
• Retrieve person information, i.e.: attributes of a user• Retrieve a list of groups the user is a member of• Retrieve the list of people that are members of a group the user is a member of.
– API playground is built in for testing purposes• Explore
cd /etc/httpd/conf.d ; cat api.confcd /opt/www/OpenConext-api ; ls –R | less ; find . | grep \.javacd /var/lib/tomcat6/webapps/api.$OCDomain ; ls -R | less
Hands-On #1
AARNet Copyright 2011
24
Manage• Configuration utility for API
– PHP (developed by SURFnet)– Features:– Configure Group Providers (Internal Grouper, and External)– Configure Virtual Organisations– Consent & ACLs for release of group information– OpenConext Usage Metrics
• Explorecd /etc/httpd/conf.d ; cat manage.confcd /opt/www/OpenConext-manage ; ls –R | less ; find . | grep \.php
Hands-On #1
AARNet Copyright 2011
25
Teams• Federated tool for management of group relationships
– Java (developed by SURFnet)– Front end to built-in Group Provider Grouper, extensible for Ext GPs– Features:– Secure team management service (requires federated authentication)– GUI for team creation and membership management
• Email based workflow• Supports Public and Private teams• Supports team member roles admin, manager, member• Allows adding groups from connected group providers into teams
• Explorecd /etc/httpd/conf.d ; cat teams.confcd /opt/www/OpenConext-teams ; find . | grep \.javacd /var/lib/tomcat6/webapps/teams.$OCDomain ; ls -R | less
Hands-On #1
AARNet Copyright 2011
26
Grouper• Internal Group Provider service used by Teams
– Java (developed by Internet2)• http://www.internet2.edu/grouper/
– Features:– Grouper provides comprehensive group management
• Hierarchical groups• Delegated authentication of group administrators
– Grouper WebGUI available via SAML login• Explore
cd /etc/httpd/conf.d ; cat grouper.confcd /var/lib/tomcat6/webapps/grouper.$OCDomain ; ls -R | less
Hands-On #1
Source: http://www.internet2.edu/products-services/trust-identity-middleware/grouper/
OpenConext Administration(~5 mins)
Hands-On #1
AARNet Copyright 2011
28
OpenConext Administration• What’s involved in administering an OpenConext deployment?
– Identifier and namespace management• Is this part of application configuration?• If so, where are basic app configurations (in which config files?)
• User Management– Promote users to “admin” via Service Registry
• Register SAML entities– Add & maintain IdPs and SPs via Service Registry
• Register External Group Providers– Add & maintain Group Providers via Manage
• Update software when new versions available– Respond to security alerts
Hands-On #1
AARNet Copyright 2011
29
Roles and responsibilities• Who can perform admin functions in OpenConext ?
– Default admin accounts– Concept of ‘user’ in Service Registry– Promoting the user to “admin”
• Example from SURFconext – Administration control• Why/when should a user be promoted to ‘admin’
• Best-practices from SURFconext experience
• Functional administrative roles– Manage (Create VO’s)– Teams (Create Groups/Teams
Hands-On #1
Identity Provider Integration(~10 mins)
Hands-On #1
AARNet Copyright 2011
31
Identity Provider Integration• View ServiceRegistry “Create connection” interface• Basic Process:
– Provisioning IdPs to trust Engine SP• Obtain Engine SP metadata, include in IdPs SP metadata store• Ensure IdPs release the required attributes to Engine SP
– Registration of IdP in OpenConext via ServiceRegistry• Create IdP SAML2.0 connection with IdP entityID• Import and/or configure IdP metadata (provision trust in Engine)• Include info for OpenConext discovery service (e.g IdP logo)• Configure user consent and attribute manipulation
• Where is engine attribute policy and attribute mapping configured?
Hands-On #1
AARNet Copyright 2011
32
ServiceRegistry interface Hands-On #1
AARNet Copyright 2011
33
Shibboleth IdP Integration• Create a connection on your OpenConext VM to your Shib IdP
– IdP on separate VM, preinstalled and functional (initially configured to trust your Shibboleth SP)
• Shibboleth IdP installed on a separate VM– LDAP identity source – users are sam,sid,sue,sal password …– /opt/shibboleth-idp/conf/relying-party.xml, attribute-resolver.xml, attribute-filter.xml– /opt/shibboleth-idp/metadata/sp-metadata.xml– Obtaining the shibboleth IdP metadata
• Engine SP metadata– Obtain metadata from https://engine.ocshop01.tnd.aarnet.edu.au/idp/metadata (via ServiceRegistry)– Add SP metadata to IdP sp-metadata.xml
• IdP ‘connection’ in ServiceRegistry– To add IdP, need to create connection in ServiceRegistry. Login as ‘jane’– Import metadata (fill in gaps, including logo location – this will appear in DS)– Access “Manage” and verify that can see Shib IdP and log in using identity.
Hands-On #1
AARNet Copyright 2011
34
SimpleSAMLphp IdP Integration• Create a connection on your OpenConext VM to your SSphp IdP
– IdP on separate VM, preinstalled and functional (initially configured to trust your SimpleSAMLphp SP)
• SimpleSAMLphp IdP already installed on a separate VM– LDAP identity source (same as used for Shib).– /www/simplesamlphp/config/config.php, authsources.php– /www/simplesamlphp/metadata/saml20-idp-hosted, saml20-sp-remote– Obtaining the SimpleSAMLphp IdP metadata, converting to XML
• Engine SP metadata– Obtain metadata from https://engine.ocshop01.tnd.aarnet.edu.au/idp/metadata (via ServiceRegistry)– Convert engine SP metadata to SimpleSAMLphp format, add to IdP saml20-sp-remote
• IdP ‘connection’ in ServiceRegistry– To add IdP, need to create connection in ServiceRegistry. Login as ‘jane’– Import XML metadata (fill in gaps, including logo location – this will appear in DS)– Access “Manage” and verify that can see Shib IdP and log in using identity.
Hands-On #1
Service Provider Integration(~10 mins)
Hands-On #1
AARNet Copyright 2011
36
Service Provider Integration• View ServiceRegistry “Create connection” interface• Basic Process:
– Provisioning SP to trust Engine IdP• Configure SP to use Engine as sole identity provider• Obtain Engine IdP metadata, include in SP’s IdP metadata store• Ensure SP is provided the required attributes by Engine IdP
– Registration of SP in OpenConext via ServiceRegistry• Create SP SAML2.0 connection with SP entityID• Import and/or configure SP metadata (provision trust in Engine)• Select ARP (engine attribute filter) from those defined• Configure metadata manipulation• Include SP icon and link on OpenConext services page
Hands-On #1
AARNet Copyright 2011
37
ServiceRegistry interface Hands-On #1
AARNet Copyright 2011
38
Shibboleth SP Integration • Your OpenConext VMs still running, also IdP VM
– You will have already confirmed that your SP – attribute reflector - is accessible from your IdP– (but not now as you’ve integrated the IdP with OpenConext, so now have an orphan SP)
• Shibboleth SP already installed on a separate VM– Apache, modJK and Tomcat.– /etc/shibboleth/shibboleth2.xml, attribute-policy.xml, attribute-mapping.xml– /etc/shibboleth/idp-metadata.xml– Obtaining the shibboleth SP metadata from URL https://domain.name/metadata
• Engine IdP metadata– Obtain metadata from https://engine.ocshop01.tnd.aarnet.edu.au/sp/metadata (via ServiceRegistry)– Add IdP metadata to SP idp-metadata.xml
• Create SP ‘connection’ in ServiceRegistry– To add SP, need to create connection in ServiceRegistry. Login as ‘jane’– Import SAML2.0 IdP metadata (fill in gaps, including logo location – this will appear in DS)– Add SP logo to the OpenConext homepage– Access OpenConext homepage and verify that can see Shibboleth SP and log in using identity.
Hands-On #1
Groups/Teams Management(~10 mins)
Hands-On #1
AARNet Copyright 2011
40
Create a Team• Teams service (GUI front-end to Grouper)
– Grouper “group” model• Hierarchical, with ‘stems’, OpenConext constrains to flat groups• Can add groups from other Group Providers ?
– Public vs Private Teams (we’ll create public teams)
• Team Creation– Access “Teams” via icon (or https://teams.$OCDomain/ )
• Who can create a team ? (see ServiceRegistry “Teams” SP config)– Config’d so anyone can create a team
• Create a team (name as you like it)– You’re the “admin” of the team. You’re recommended to add other admins.
Hands-On #1
AARNet Copyright 2011
41
Create a Team Hands-On #1
AARNet Copyright 2011
42
Adding Members to the Team• Admin initiated (invite user)
– Admin can invite members (email address, invitation message)
• Email to user inviting to join– User responds via link on email
• Accepts or Rejects membership– User can visit Teams or Profile to verify membership of the team
• User initiated (request membership of public team)– View public teams in Teams and request membership
• Email to manager notifying of membership request– Manager responds via link in email, or visits Teams directly
• Accepts or rejects user request– Admin can verify team information updated via Teams
Hands-On #1
API Playground(~10 mins)
Hands-On #1
AARNet Copyright 2011
44
API Playground Architecture• Visit API Playground via home page (or https://api.$OCDomain/v1/test )
• Note Teams SP metadata (view in ServiceRegistry)
• Three steps: (note: using OAuth V2.0 Authorization Code Grant)– OAuth Settings ( change OAuth Key to https://teams.$OCDomain/ )– OAuth Authorization ( obtain authorization, involves authentication )– OAuth Requests (explore result of API Requests)
• https://api.$OCDomain/v1/social/rest/groups/@me (default)also try• https://api.$OCDomain/v1/social/rest/people/@me • https://api.$OCDomain/v1/social/rest/people/@me/<groupId>
Hands-On #1
OAuth, OpenSocial API and VOOT(a brief protocol discussion)
Hands-On #1
AARNet Copyright 2011
46
Oauth 2.0 Authz Code Grant Hands-On #1
Source: (reproduced in) http://ldapwiki.willeke.com/wiki/OAuth 2 Authorization Code Flow)
AARNet Copyright 2011
47
OpenSocial API• (latest) OpenSocial Core API Server Specification 2.5.1
3.2 OAuth 2.0 SupportCore Gadget Servers MUST support the authorization server, resource server and client roles defined in section 1.1 of the Open Authorization 2.0 specification [draft-ietf-oauth-v2-22].A Core Gadget Server MUST provide authorization, token issuance and resource access endpoints per the OAuth 2 specification. A Core Gadget Server MUST implement the authorization code and client credential types described in section 4 of the Open Authorization 2.0 specification. Core Gadget Servers SHOULD implement the implicit grant type. Core Gadget Servers MAY implement the refresh token pattern described in section 1.5 of the OAuth 2.0 specification.
• (latest) OpenSocial Social API Server Specification 2.5.12.1 PeopleContainers MUST support the People Service.Containers MUST support retrieving information about a person.
2.2 GroupsContainers MAY support the Groups Service.
Hands-On #1
AARNet Copyright 2011
48
VOOT API VOOT is a very simple protocol for cross-domain read-access to groups, focusing on HE&R requirements.Authentication of the client and the user is established using OAuth 2.0, and the group protocol.VOOT is a standalone specification, that intentionally aims to be partly compatible with OpenSocial v2.0.
• OpenConext– Exchange of group and person information
• Standardized REST API based on OpenSocial 1.1 API– Subset of OpenSocial 1.1 + {voot_membership_role} attribute
– Supported calls:• Retrieve a list of groups the user is a member of• Retrieve the list of people that are members of the user’s group
– Security• OAuth 2.0 protected resource server• OAuth 1.0a supported (for now)• OpenConext ‘API playground’ is provided for testing OAuth/VOOT calls
Hands-On #1
Preview Session 2: Hands-On #2 & #3(the ‘work’ in ‘workshop’)
Hands-On #1
AARNet Copyright 2011
50
Simple Dev Examples• Simple “HelloWorld” example in• Java (will show/explore Scribe OAuth library)• PHP (will show/explore implementation by SURFnet)
• Any takers for trying a Grails or Python implementation. Links :• http://grails.org/plugin/oauth-scribe• https://github.com/litl/rauth
• Can try to use Eclipse, however network may be to slow• If so, use your favourite text editor
Hands-On #1