federated identity managementeudat.eu/sites/default/files/federated identity... · 2019-04-01 ·...
TRANSCRIPT
![Page 1: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/1.jpg)
Federated Identity Management
Willem Elbers (MPI-TLA)
EUDAT training
Date: 26 June 2012
![Page 2: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/2.jpg)
Outline
• FIM and introduction to components
• Federation and metadata
• National Identity federations and inter federations
• Attributes
• Issues
• Summary
![Page 3: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/3.jpg)
Federated Identity Management
• “Federated Identity Management (FIM) is about technologies,
standards and use-cases which serve to enable the portability
of identity information across otherwise autonomous security
domains”1
• A typical use-case with FIM is the (web-based) single sign-on
scenario where a user signs in once with his/her home
organization and can access multiple services hosted at
different organizations.
• Technologies: Shibboleth, Oauth, simpleSAMLphp, …
• Standards: SAML 2.0, …1 http://en.wikipedia.org/wiki/Federated_identity_management
![Page 4: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/4.jpg)
Identity Provider (IDP)
• Typically running at the users home organization
• Authenticates a user
– Connected to a user store (LDAP, database, …)
• Configures attributes to release
• Decides which service providers to trust
• In case of shibboleth just a java web application
deployed in a servlet container
![Page 5: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/5.jpg)
Service Provider (SP)
• Typically running at the organization providing the service
• Makes an access control decision based on the attributes and/or supplied identity information
• Redirects the user to a login endpoint if no identity information is available– Can be an individual IDP
– Can be a “where are you from” page
• Decides which identity providers to accept
• Decides which attributes to accept
• In case of shibboleth installed into apache
![Page 6: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/6.jpg)
SP Attribute Filter
• SP attribute map configuration (attribute-map.xml)
• SAML1 and SAML2 naming
• nameFormats
• Our mapping for eduPersonPrincipalName:
<Attribute
name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
id="eduPersonPrincipalName"/>
<Attribute
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
id="eduPersonPrincipalName"/>
<Attribute
name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
id="eduPersonPrincipalName"/>
default nameFormat:SAML1 = urn:mace:shibboleth:1.0:attributeNamespace:uriSAML2 = urn:oasis:names:tc:SAML:2.0:attrname-format:uri
![Page 7: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/7.jpg)
Shibboleth and Apache
• Load shibboleth moduleLoadModule mod_shib
…/shibboleth-sp/lib/shibboleth/mod_shib_22.so
• Protect a path<Location /ds/imdi_browser>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
Satisfy All
Require valid-user
</Location>
![Page 8: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/8.jpg)
Where Are You From (WAYF)
• A typical FIM use-case is an SP accepting users authenticated by a (large) number of IDPs.
• How does the SP decide which login endpoint the user needs to be redirected to?
• Where are you from page– Let the user select the IDP he/she wants to authenticate with
• In the case of shibboleth there is a default WAYF page, other alternatives are e.g. DiscoJuice1
– Default WAYF: http://lux17.mpi.nl/
– DiscoJuice: http://catalog.clarin.eu/ds/ComponentRegistry/#
1 http://www.discojuice.org
![Page 9: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/9.jpg)
SAML 2.0
• Security Assertion Markup Language 2.0 is a version of the
SAML OASIS standard for exchanging authentication and
authorization data between security domains
• XML based protocol using security tokens containing
assertions to pass information about a principal between an
identity provider and a service provider
• Metadata creates the trust relation between IDPs and SPs
based on exchanged public keys
![Page 10: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/10.jpg)
Iden
tity rovid
erId
entity ro
vider
SSO Flow Schematic
Ide
ntity ro
vider
Service Pro
vider
WAYF
Pro
tected R
esou
rce
Request access to
a resource
Provide resource or
deny access
Where are you
from?I am from
MPI-TLA
Who are you?
I am Willem Elbers
Redirect to login endpoint Redirect to IDP
Set authentication information and attributes
And redirect back to original request location
User
redirect
interaction
Example
![Page 11: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/11.jpg)
Identity Federation (IDF)
• Group of IDPs and SPs that trust each other
– Trust relation created by legal contracts
– Defined in metadata • By “trusting” each others keys
• Within the IDF users can use a single identity to access all services
• SPs trust IDPs loaded by metadata
• IDPs trust SPs loaded by metadata
• Building federations is establishing the legal contracts and creating and exchanging metadata sets with IDPs and SPs that trust each other
![Page 12: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/12.jpg)
Metadata IDP example1
<EntityDescriptor entityID="https://idp.clarin.eu" >
<IDPSSODescriptor ….>
<Extensions>...</Extensions>
<KeyDescriptor>...</KeyDescriptor>
…
<SingleSignOnService … Location="https://catalog.clarin.eu/mw/shibboleth-idp/profile/Shibboleth/SSO"/>
</IDPSSODescriptor>
<AttributeAuthorityDescriptor …>
<Extensions>...</Extensions>
<KeyDescriptor>...</KeyDescriptor>
<AttributeService … Location="https://catalog.clarin.eu/mw/shibboleth-idp/profile/SAML1/SOAP/AttributeQuery"/>
…
</AttributeAuthorityDescriptor>
<Organization></Organization>
<ContactPerson contactType="technical"></ContactPerson>
<ContactPerson contactType="administrative"></ContactPerson>
</EntityDescriptor>
1 full metadata files available at http://idp.mpi.nl/metadata
Provide backwards compatibility
![Page 13: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/13.jpg)
Metadata SP example1
<EntityDescriptor entityID="https://sp.catalog.clarin.eu">
<SPSSODescriptor …>
<Extensions></Extensions>
<KeyDescriptor></KeyDescriptor>
<SingleLogoutService … Location="https://catalog.clarin.eu/Shibboleth.sso/SLO/SOAP"/>
…
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<ManageNameIDService … Location="https://catalog.clarin.eu/Shibboleth.sso/NIM/SOAP"/>
…
<AssertionConsumerService … Location="https://catalog.clarin.eu/Shibboleth.sso/SAML2/POST" index="1"/>
….
<Organization></Organization>
<ContactPerson contactType="technical"></ContactPerson>
</SPSSODescriptor>
</EntityDescriptor>
1 full metadata files available at http://idp.mpi.nl/metadata
![Page 14: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/14.jpg)
Setting Up
• Technical (Shibboleth case)– Service provider
• Requires certificate
• 0.5 – 1 day to set-up
– Identity provider
• Requires certificate
• 1 - 2 day(s) to set-up
– Integration with applications (depends on set-up)
• Legal (Joining federations)– Signing contracts
– Can take a long time
• Maintenance– Mostly keeping the metadata up-to-date
– Connecting new IDPs, SPs or federations can take a long time due to legal issues
![Page 15: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/15.jpg)
The national IDFs & eduGAIN• Seemed obvious to use FIM
provided by the national academic IDFs
• … and especially the EU “eduGAIN” interfederation, at that moment (2009) a pilot project. We hoped for:– transparent participation for SPs
and IdPs
– standard attribute set
• Not too worried about attribute harmonization since– Authorization in CLARIN usually
on basis of identity and signed licenses
IdP2
IdP1
SP2
Identity Federation
What makes the federation- Metadata- Agreements:
- technical e.g. SAML2- Legal contracts
SP1
user attributes
![Page 16: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/16.jpg)
Using eduGAIN
SP2
SP3
SP1
IDF a
IDF b
homeless users?
IDF c
eduGain
• The CLARIN SPs are members of their national IDFs
• Rely on the eduGain interfederation to provide the necessary exchange of metadata
Contracts, metadata & attr. exchange
![Page 17: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/17.jpg)
Academic IDF AttributesIDF Mandatory Further remarks
DFN-AAI sn, email, ePPN, ePSA, ePEntitlement, ePTID ,(*)
What is the predominant unique identifier for end users? ePPN, ePTIDIs there a policy for what should be used as the unique ID? No.
HAKA cn, sn, displayName, eduPersonPrincipalName, schacHomeOrganization, schacHomeOrganizationType
Currently, ePPN is the predominant unique ID. The federation operator has published instructions on use of ePTID but hasn't strongly insisted its use.
SURFfed None The predominant unique identifier for end users is ePPN. There is no formal policy for what should be used as the unique ID
From: https://refeds.terena.org/
(*) within DFN-AAI we see no compliance with the ‘official’ DFN attribute policy. There is confusion why attributes do not appear. Some claim DFN privacy policy is the cause. More likely the Universities have their own policy
![Page 18: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/18.jpg)
Solutions for getting attributes I
How do we get the right attributes to the SPs?
• Advice users without the required attributes to contact their IdP and leave it to them.
… bad idea, you will have few users
• Attribute release consent modules (uApprove) will help IdP administrators to agree on providing all possible attributes.
• Have appropriate fall-back configuration to come to a unique user identifier (ePPN, eTID, email). Have the applications query the user when other attributes are required.
![Page 19: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/19.jpg)
Solutions for getting attributes II
• Lobby for mandatory attribute release policies of national IDFs and eduGain
• Create an external VO-Platform (central user attribute provider) providing all the required attributes (and perhaps some other useful information)– SPs will get all required attributes with correct semantics.
– Can still rely on user authentication at the home institute
– Possibly inconsistent attributes
– Who manages this probably very big DB?
– However if everything else fails we have no other option.
• In view of the attribute release problems in Germany, CLARIN D has decided to create a CLARIN IdP that will cater for all German users in need.
![Page 20: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/20.jpg)
Homeless IdP
• There are users also from countries without a proper IDF
• For these a homeless IDP can be used with a simple
registration procedure
• Also used by users with IDPs not releasing the correct
attributes
• The verification of these users’ identity is limited. The
IdP is therefore not part of any national IDF and
(CLARIN) SPs are warned not to expose sensitive data
& services to these users.
homeless users?
![Page 21: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/21.jpg)
Summary
• Basic components
• Federations
• National IDFs
– How to minimize administrative overhead?
• Attributes
– How to ensure all required attributes are supplied by the IDPs?
– Same attribute provided in different “flavors”
• Catering for users without a (national) IDF
– Homeless IDP
– Different level of trust for these users
![Page 22: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/22.jpg)
Questions
Thank you for your attention
![Page 23: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/23.jpg)
Language TechnologyThink of parsers, taggers,
translators, aligners, speech
recognizers,…
• Currently often still use download first, process and store paradigm
• For efficiency need to use a Service Oriented Architecture (SOA), where only remote processing takes place
• Add to that a way of combining distributed services in a workflow
• with interaction with resource repositories
• Tools like this exist in a more or less usable form: TAVERNA, GATE, Weblicht, ...
WS1
WS2
WS3
tokenizer
POS tagger
NErecognition
R
R
Workflow
Engine
Workflow
Editor
S
WFspecification
![Page 24: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/24.jpg)
Web service security/delegation
in workflows
federatedauthentication
dataflowdelegation
CompositeWeb service
Web Application
tokenizer
parser
semantic tagger
Workflow engine
parserA
parserB
repository(distributed)web-services
![Page 25: Federated Identity Managementeudat.eu/sites/default/files/Federated Identity... · 2019-04-01 · Federated Identity Management • “Federated Identity Management (FIM) is about](https://reader033.vdocuments.net/reader033/viewer/2022053002/5f06864b7e708231d4186b8c/html5/thumbnails/25.jpg)
Possible solution using OAuth2• In cooperation with BiG-
GRID we have been
investigating different
solutions
• + Oauth2 scenario seems
to support much of what
we need
• + Constrained delegation
• - Need for a central AS
Portal WS1
IdP
AuthZService
SAML assertion
Exchange assertionfor token
12
3
4
WSn