uk e-science all hands meeting, september 2007 the glass project: supporting secure shibboleth-based...

UK e-Science All Hands Meeting, September 2007

The GLASS Project: Supporting Secure Shibboleth-based Single Sign-On to Campus Resources

John Watt ( [email protected] )Richard Sinnott ( [email protected] ), Jipu Jiang

University of Glasgow, Scotland, UK


“Implementing Single Sign-On and VO Management in e-Health and e-Learning domains at Glasgow using Shibboleth”

• 1 year JISC project (Dec ’05 – Dec ’06)• In partnership with NHS Scotland

http://www.nesc.ac.uk/hub/projects/glass

GLASgow early adoption of Shibboleth


Federated Trust

Local authentication infrastructures are vitale.g. Campus student directories

Support existing infrastructures (e.g. registration, human resources)– Will normally have enrolled IN PERSON at the institution

» With standard identity (birth certificate, exam results)

– Will be (reasonably) well known by local staff

Also the Regional Operators for a CA Required decentralisation of credential verification due to travel/time

restrictions– National CA would be impossible without this

Remote authentication information will always be out of date

Don’t want to have to learn lots of usernames/passwords


Federated Trust

The best entity to authenticate a person is their home institution/company

Info will be up to dateThey will always know a person better than a remote siteRemote site may not know if user is still valid or not

Can we utilise a user’s home credentials to access remote resources?


Campus Authentication

Novell NSureUnified account management system at University of GlasgowCentral authentication method for campusSystem may be queried through LDAP connectionProduction system!

Custom schema– Standard object classes + Novell definitions

NOTE:– ‘uid’ attribute is guaranteed unique for every user on

system– So we can use this as a database linking attribute

» could come in handy…


Federated Authentication system using SAML for secure conversationEnables Single-Sign On to Web Pages and PortalsAuthentication is done by the user’s home institution

Identity Provider (Origin)

Authorisation (and access) is done by the resource

Service Provider (Target)


User Grid Portal

Home Institution

Service ProviderIdentity Provider

WAYF

Application

FederationAuthz


User Grid Portal

Home Institution

WAYF

Application

FederationAuthz

Point browser to portal


User Grid Portal

Home Institution


WAYF

Application

FederationAuthz

Shibboleth redirects userto W.A.Y.F service


User Grid Portal

Home Institution


WAYF

Application

FederationAuthz

User selects theirhome institution


User Grid Portal

Home Institution


WAYF

Application

FederationAuthz

AUTHENTICATE

Home confirms userID in local LDAP andpushes attributes tothe service provider

LDAP


User Grid Portal

Home Institution


WAYF

Application

FederationAuthz

Portal logs user in andpresents attributesto authorisation function


User Grid Portal

Home Institution


WAYF

Application

FederationAuthz

AUTHORISEPortal passes

attributesto AuthZ function tomake final accesscontrol decision


Identity Providers

Identity Providers assert:The authenticity of the user

IdPs in a federation TRUST each others authentication assertions– IdP guarantees the user is who they say they are– Enforced by federation policy

Shibboleth requires external apps to actually do the authentication– SAML provides the transport mechanism for this assertion

The privileges of the user SAML Attributes carry extra information about this user which can

be used by external resources to make access control decisions– These attributes need to be negotiated between IdPs and SPs– However a standard framework exists which SPs may adopt to

enhance interoperability…


eduPerson

An LDAP object class which defines widely-used attributes relevant to higher educationAdopted by Shibboleth and the UK Access Management Federation.

eduPersonAffiliation Standard attribute definition (student, staff, affiliate)

eduPersonPrincipalName May be disabled for anonymous access

eduPersonTargetedID Persistent non-identifying… identifier

eduPersonEntitlement Custom attribute for carrying user privileges


eduPerson

Campus opinion of effect of adoption of eduPerson schema…


Towards a Solution…

Basic Shibboleth IdP configuration

IdP

SP AuthN request

AuthN?

y/n y/n to SP

SP AuthZ requestAtts?

Atts. Atts to SP

eduPerson not supported

User Directory


Multiple Attribute Authorities

IdP

SP AuthN requestAuthN?

y/n y/n to SP

SP AuthZ requestAtts?

Atts.

Atts to SP

User Directory

Atts?

Atts.

Dept. A

Dept. B

User entries linked

through unique

‘uid’ attribute

eduPerson can be adopted at departmental level


The Techie Bit…

Multiple attribute authorities implemented through additional JNDI connectors in resolver.ldap.xml

Must set ‘noResultIsError’ to ‘false’ Prevents an error being thrown if a user is not found in a

database Needed because a user is not normally a member of EVERY

department!

Must set ‘propagateErrors’ flag to ‘false’ Stops any errors from halting query of multiple LDAPs

Attribute connectors state which directories they will search


Specific Services

University of Glasgow is now offering many online services for its students

Some involve manipulation or extraction of sensitive personal dataMost involve insecure (often cleartext) user information to be moved aboutNearly all require:

Username and password to be entered each visit (even within the same browser session)

– Is also possible that DIFFERENT usernames and passwords may be needed

Pre-registration for staff and non-students


GLASS Project

Unifying Uni. Resources under Shibboleth utilising the NSure Directory Service

SSO, Secure Attributes…

WebMAIL


Moodle is an online course management system

A Virtual Learning Environment (VLE) which allows educators to create online learning communities

As of August 2006 15,768 registered sites in 163 countries (1241 in UK alone) 581,984 courses 6,033,505 users

Individual site Moodle(s) can be very different Different sites may require different user information to create a

session


University of Glasgow MoodleUtilises the central campus LDAP serverRequires the following entries for a user session

uid, givenName, fullName, mail, sn (Uni. Of Glasgow Computing Services (CS) requirements)

Entries usually retrieved through generic moduleA Shibboleth Authentication module is available

Extracts the correct attributes from the HTTP_SHIB_ATTRIBUTES header provided by Shibboleth Service Provider

“Pure Shibboleth” login, or multiple login types– CS prefer the latter, more flexible

» Cost is user must specifically request a Shibboleth session on first visit.


WebSURF is an online service for manipulation and retrieval of personal details

Student Services Course registration/options Access to personal exam results Updating personal details

– Address, Tel. No.

Staff Services View student records Update course information

WebSURF is authored by Glasgow University


GLASS

MoodleMoodle ships with a Shibboleth authentication moduleRequires configuration…

Shibboleth SP provides the 5 attributes in an HTTP header (HTTP_SHIB_ATTRIBUTES)

Each individual attribute is extracted using a CGI type header– HTTP_UID– HTTP_SHIBINETORG_SURNAME– HTTP_GIVENNAME– Etc

Moodle forms a local username (if it doesn’t already exist)


GLASS

WebSURFMuch more complicated!WebSURF is a J2EE application which runs in a JBoss containerAuthentication is done with the generic JAAS module

Shibboleth may interface with JBoss applications through the SPIE-JAAS module which takes the place of the generic JAAShttp://spie.oucs.ox.ac.uk


GLASS


GLASS

BrainITUsing Shibboleth to provide sensitive clinical data to a Grid portal from an NHS databaseSP needs to host GridSphere, so a Tomcat/ajp_proxy setup is required

Have SSL enabled this portal as data is particularly sensitive

eduPersonEntitlement used as the attribute required for access to portal

Different attributes correspond to different available parameters to query

– brainIT_nurse – low privilege (e.g. DOB/Sex)– brainIT_investigator – high privilege (e.g. postcode, illness

specifics)


GLASS


Summary

GLASS infrastructure is basis for all Shibboleth-based projects at Glasgow

e.g. EPSRC nanoCMOS project Centralised authentication from NSure LDAP Departmental Attribute Authorities at National e-Science

Centre and Department of Electronics and Electrical Engineering

– Each department controls the attributes required for access to their own service

– LDAP directories linked using unique ‘uid’ attribute

Experience gained in interfacing with new technologies (MediaWiki)Informs new Shibboleth based projects with other collaborators (e.g. SEE-GEO)


Demos

This afternoon…. All afternoon!

uk e-science all hands meeting, september 2007 the glass project: supporting secure shibboleth-based...

Documents