SlideShare una empresa de Scribd logo

Sakai Amsterdam 130607

A
Alistair Young

Guanxi Shibb Kit (GSK) presentation at the Sakai conference, Amsterdam, 2007

1 de 26
Guanxi LUO eHx eI d s Federation With The Guanxi Shibb Kit Sakai Conference, Amsterdam June 13th 2007 Alistair Young Senior Software Engineer Àrd-Innleadair air Bathar-bog UHI@Sabhal Mòr Ostaig
Wear the fox hat?
Guanxi On the menu today LUO “I hope sir is hungry” eHx eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
Guanxi Hors d’oeuvres LUO “who are those strange users in my system?” eHx shibboleth admin eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
Guanxi What is Guanxi? LUO eHx “...you scratch my back, I’ll scratch yours” eI d s In the Chinese business world, “Guanxi” is understood as the network of relationships among various parties that cooperate and support one another Guanxi has three main objectives: To implement the Shibboleth 1.2 specification into a WS architecture and within a VLE To extend and develop intra/inter-institutional AA functions To create and use Shibboleth federations
Guanxi The Guanxi Project LUO eHx eI d s UK JISC funded Core Middleware Project Collaboration: UHI Millennium Institute (lead partner) University of Leeds University of Oxford Core Guanxi IdP SP WAYF
Guanxi The Guanxi Project LUO eHx eI d Who is GuanXi? (i.e., who to blame...) s
Guanxi A Wee Bit Of Grammar LUO “To Shibb or not to Shibb, that is the question...” eHx Shakespeare, apparently eI d s Introducing the verb, to shibb To bang one’s head repeatedly against a hard surface To age prematurely To curse PKI To hallucinate and drool for a metadata editor Finally, to let anyone and their dog into your systems!
Guanx Web Service Enabled Service LUO i Provider eHx eI Federation server d s 6 Institutional user@org1 accesses resource at org2 1 SP 2 8 Filter sets up WS-Callback with SP 2 3 Filter redirects to federation WAYF 3 WAYF Filter 9 Webapp 1 User’s SSO authenticates them 4 4 SSO replies to federation SP 5 Resource specific Federation SP requests attributes on 6 modules behalf of filter (A/C) User’s AA sends attributes to org 2 Server 7 federation SP org1 IdP Federation SP invokes WS-Callback to 8 filter which retrieves it’s attribute request data 5 SSO Filter makes access decision based on 9 7 attributes gathered by the federation SP AA Distributed architecture Institutional SAML Server, satellite Guards Can scale SAML servers to balance load
Guanxi Starter LUO eHx eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
Guanxi Identity Provider LUO “I am, therefore my IdP knows about me...” eHx Famous philosopher eI d s It’s the Identity Provider’s job to: Get you authenticated, somehow, anyhow Release attributes about you, affiliation, membership etc. Authentication is out of scope of the Shibboleth profile Do it any way you want! LDAP, JDBC, Secret handshake while standing on one leg with trouser leg rolled up! Attributes can be gathered from multiple stores Get them from eDirectory, Active Directory, VLE Guanxi aggregates and “SAMLises” them Only released subject to Attribute Release Policy (ARP)
Guanxi What is integration? LUO “how many webapps can a web.xml withstand?” eHx 17th century childrens rhyme eI d s IdP can be standalone, linked to backend systems SP oriented. Users authenticate when they access a remote, shibbed resource Confusing if they have already logged in to institutional portal or VLE. Why authenticate twice? Or it can be embedded in an institutional application... ...VLE, Portal, Identity Management System etc. IdP oriented. Users authenticate once, in the VLE and access shibbed resources seamlessly VLE already linked to backend systems Introduces the concept of “logging in to your IdP” Log in first thing, ready to shibb all day
Guanxi Mapping attributes LUO eHx “You’re not putting that in there...” eI our Novell admin d JISC UK federation mandates use of eduPerson s But we don’t have eduPerson support in our eDirectory Our admin jumps up and down when we ask for it “oh yes, you’re asking for it allright”, he shouts! Not to worry. Guanxi IdP will map any attribute to any other An example is Athens “userRole” attribute. We don’t have it in eDirectory either. So we map our users’ LDAP DN to their userRole Bodington uses the Guanxi IdP to map it’s internal membership roles to eduPerson Sakai can now map its User object to eduPerson attributes and release them
Guanxi Sakai + Guanxi LUO eHx A Shibboleth compatible Virtual Learning Environment eI d s Sakai VLE with embedded Guanxi IdP Guanxi SP True SSO Athens Sakai as Gx Shibb Gateway IdP Shibboleth Minimal configuration - self-signed certs are SP auto generated User and Group information exposed as eduPerson attributes by Guanxi Can login to your IdP to create users and manage their access rights
Guanxi Single Sign On LUO “I have too many passwords!” eHx a user eI d s SSO means different things to different people Used to mean Single username/password. Still had to authenticate multiple times Starting to mean just what it says on the tin Login once and middleware takes care of the multiple authentication problem But you need an integrated IdP to get true SSO Shibboleth disappears. Users never see the IdP. All they see is their VLE or Portal login page, once
Guanxi Main course LUO eHx eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
Guanxi Guanxi Shibb Kit (GSK) LUO eHx eI d s Shibboleth is complementary to normal Sakai operation Works with Sakai 2.4+ Self contained in /portal-shibb portal Does not replace any Sakai authentication/authorisation features Shibb portal is a holding area while users are authenticated by their Identity Provider and their attributes retrieved from their Attribute Authority When they pass muster, a Pod is constructed with their SAML attributes and acts as a store for Guanxi UserDirectoryProvider and GroupProvider Pods are persisted so shibb user always “there” in Sakai, subject to SAML attribute lifetimes
Guanxi Promotion to /portal LUO eHx eI d s Once a user has a valid Pod, the Shibb portal “logs them in” to Sakai and redirects them to the main portal The Shibb portal requires the main Sakai to be using the federated versions of the User and Group providers: FilterUserDirectoryProvider FilterGroupProvider Pod acts as a UserDirectoryProvider and GroupProvider, using it’s SAML attributes and their TTLs Once the user is kitted out with a Sakai profile courtesy of the GSK, they are free to wander around Sakai as normal, with their Pod acting as their information provider
Guanxi One stop shibb shop LUO say that when you’re drunk! eHx eI d s /portal-shibb Service Provider Guard Engine IdP WAYF All Shibboleth functionality in one place Enabled/disabled by setting in sakai.properties Shibb portal contains everything Sakai needs to work in a Shibboleth federation Does not require Apache, only a servlet container e.g. Tomcat
Guanxi GSK Architecture LUO eHx Authenticate eI IdP d Attributes s Guard Engine /portal-shibb Remote user PodUserDirectoryProvider PodGroupProvider Browser redirects Guanxi LDAPUserDirectoryProvider LDAPGroupProvider Normal Sakai FilterUserDirectoryProvider FilterGroupProvider /portal worksite tools Normal Sakai User
Guanxi Embedded IdP LUO eHx Attribute queries /portal-shibb/AA IdP eI Auth requests d /portal-shibb/SSO s SakaiCookieHandler SakaiAuthenticator SakaiAttributor mapper SakaiAuthenticator delegates to Sakai authentication system SakaiAttributor uses Sakai for user information SakaiCookieHandler traps authentication requests Only need to login once to access multiple SPs IdP’s mapper changes Sakai attributes to any other attributes
Guanxi Embedded SP LUO eHx Sakai #1 eI d /portal-shibb/gx User requests s Guard /portal-shibb/guard.* Authn Sakai #2 WAYF Attributes WAYF? Authz Engine /portal-shibb/engine.* Fully self contained. Sakai has a Guard and Engine Guard blocks requests to /portal-shibb/gx Guard is a holding pen for users while they are authenticated by their IdP, which could be another Sakai. SAML Engine takes care of all Shibboleth and SAML functionality
Guanxi External SAML Engine LUO eHx http://sakaiproject.org/samlengine eI d s Guanxi SAML Engine Normal Sakai Guard Guard Guard Guard Sakai Sakai Sakai Sakai Rather than each Sakai instance having its own SAML Engine with its maintenance and configuration overhead Central SAML Engine, hosted by sakaiproject Each Sakai Guard configured to talk to sakaiproject.org Engine Sakai instances do not need to know about SAML or Shibboleth
Guanxi Pudding - indigestion LUO eHx eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
Guanxi In the pipeline LUO eHx eI d s Shibboleth tool to provide configuration GUI Expose individual Sakai tools as Shibboleth Service Providers Allow tools to specify which attributes they require for access Enhance the Sakai providers to allow proper internal federation Each UDP knows which users belong to it No need to search the chain of providers
Guanxi Chucking out time LUO one more waffer theen meent, sir? eHx eI d s Guanxi project website - http://www.guanxi.uhi.ac.uk/wiki GSK documentation - http://www.guanxi.uhi.ac.uk/drguanxi/index.php/ Sakai_Guanxi_Shibb_Kit The GSK is in contrib Guanxi mailing list - guanxi-development@lists.sourceforge.net Email - alistair@smo.uhi.ac.uk

Recomendados

Fusesource camel-persistence-part1-webinar-charles-moulliard
Fusesource camel-persistence-part1-webinar-charles-moulliardFusesource camel-persistence-part1-webinar-charles-moulliard
Fusesource camel-persistence-part1-webinar-charles-moulliard
Charles Moulliard
 
Dba 3+ exp qus
Dba 3+ exp qusDba 3+ exp qus
Dba 3+ exp qus
kamalklm121
 
Java Summit Chennai: Java EE 7
Java Summit Chennai: Java EE 7Java Summit Chennai: Java EE 7
Java Summit Chennai: Java EE 7
Arun Gupta
 
The Java EE 7 Platform: Developing for the Cloud
The Java EE 7 Platform: Developing for the CloudThe Java EE 7 Platform: Developing for the Cloud
The Java EE 7 Platform: Developing for the Cloud
Arun Gupta
 
Java EE 7 at JAX London 2011 and JFall 2011
Java EE 7 at JAX London 2011 and JFall 2011Java EE 7 at JAX London 2011 and JFall 2011
Java EE 7 at JAX London 2011 and JFall 2011
Arun Gupta
 
TDC 2011: OSGi-enabled Java EE Application
TDC 2011: OSGi-enabled Java EE ApplicationTDC 2011: OSGi-enabled Java EE Application
TDC 2011: OSGi-enabled Java EE Application
Arun Gupta
 
JavaEE6
JavaEE6JavaEE6
JavaEE6
Roger Xia
 
Creating Quick and Powerful Web applications with Oracle, GlassFish and NetBe...
Creating Quick and Powerful Web applications with Oracle, GlassFish and NetBe...Creating Quick and Powerful Web applications with Oracle, GlassFish and NetBe...
Creating Quick and Powerful Web applications with Oracle, GlassFish and NetBe...
Arun Gupta
 

Recomendados

Fusesource camel-persistence-part1-webinar-charles-moulliard
Fusesource camel-persistence-part1-webinar-charles-moulliardFusesource camel-persistence-part1-webinar-charles-moulliard
Fusesource camel-persistence-part1-webinar-charles-moulliard
Charles Moulliard
 
Dba 3+ exp qus
Dba 3+ exp qusDba 3+ exp qus
Dba 3+ exp qus
kamalklm121
 
Java Summit Chennai: Java EE 7
Java Summit Chennai: Java EE 7Java Summit Chennai: Java EE 7
Java Summit Chennai: Java EE 7
Arun Gupta
 
The Java EE 7 Platform: Developing for the Cloud
The Java EE 7 Platform: Developing for the CloudThe Java EE 7 Platform: Developing for the Cloud
The Java EE 7 Platform: Developing for the Cloud
Arun Gupta
 
Java EE 7 at JAX London 2011 and JFall 2011
Java EE 7 at JAX London 2011 and JFall 2011Java EE 7 at JAX London 2011 and JFall 2011
Java EE 7 at JAX London 2011 and JFall 2011
Arun Gupta
 
TDC 2011: OSGi-enabled Java EE Application
TDC 2011: OSGi-enabled Java EE ApplicationTDC 2011: OSGi-enabled Java EE Application
TDC 2011: OSGi-enabled Java EE Application
Arun Gupta
 
JavaEE6
JavaEE6JavaEE6
JavaEE6
Roger Xia
 
Creating Quick and Powerful Web applications with Oracle, GlassFish and NetBe...
Creating Quick and Powerful Web applications with Oracle, GlassFish and NetBe...Creating Quick and Powerful Web applications with Oracle, GlassFish and NetBe...
Creating Quick and Powerful Web applications with Oracle, GlassFish and NetBe...
Arun Gupta
 
Session 49 - Semantic metadata management practical
Session 49 - Semantic metadata management practical Session 49 - Semantic metadata management practical
Session 49 - Semantic metadata management practical
ISSGC Summer School
 
Everything you wanted to know, but were afraid to ask about Oozie
Everything you wanted to know, but were afraid to ask about OozieEverything you wanted to know, but were afraid to ask about Oozie
Everything you wanted to know, but were afraid to ask about Oozie
Chicago Hadoop Users Group
 
Session 49 Practical Semantic Sticky Note
Session 49 Practical Semantic Sticky NoteSession 49 Practical Semantic Sticky Note
Session 49 Practical Semantic Sticky Note
ISSGC Summer School
 
Status update OEG - Nov 2012
Status update OEG - Nov 2012Status update OEG - Nov 2012
Status update OEG - Nov 2012
dgarijo
 
JISC CNI Meeting, Edinburgh 2010
JISC CNI Meeting, Edinburgh 2010JISC CNI Meeting, Edinburgh 2010
JISC CNI Meeting, Edinburgh 2010
Paul Walk
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Christian Frichot
 
IKS early adopters workshop - introducing FISE
IKS early adopters workshop - introducing FISEIKS early adopters workshop - introducing FISE
IKS early adopters workshop - introducing FISE
Bertrand Delacretaz
 
Gf University 27may09 Amersfoort
Gf University 27may09 AmersfoortGf University 27may09 Amersfoort
Gf University 27may09 Amersfoort
Eugene Bogaart
 
A Fault Tolerance Concept for Distributed OSGi Applications - Fabian Meyer
A Fault Tolerance Concept for Distributed OSGi Applications - Fabian MeyerA Fault Tolerance Concept for Distributed OSGi Applications - Fabian Meyer
A Fault Tolerance Concept for Distributed OSGi Applications - Fabian Meyer
mfrancis
 
Using the Splunk Java SDK
Using the Splunk Java SDKUsing the Splunk Java SDK
Using the Splunk Java SDK
Damien Dallimore
 
GlassFish OSGi Server
GlassFish OSGi ServerGlassFish OSGi Server
GlassFish OSGi Server
Artur Alves
 
A Provenance-Aware Linked Data Application for Trip Management and Organization
A Provenance-Aware Linked Data Application for Trip Management and OrganizationA Provenance-Aware Linked Data Application for Trip Management and Organization
A Provenance-Aware Linked Data Application for Trip Management and Organization
Boris Villazón-Terrazas
 
FishEye - Source Code Explore and more - Brief
FishEye - Source Code Explore and more - BriefFishEye - Source Code Explore and more - Brief
FishEye - Source Code Explore and more - Brief
Ellen Feaheny
 
Apache, osgi and karaf par Guillaume Nodet
Apache, osgi and karaf par Guillaume NodetApache, osgi and karaf par Guillaume Nodet
Apache, osgi and karaf par Guillaume Nodet
Normandy JUG
 
GlassFish BOF
GlassFish BOFGlassFish BOF
GlassFish BOF
glassfish
 
Splunk conf2014 - Splunk Monitoring - New Native Tools for Monitoring your Sp...
Splunk conf2014 - Splunk Monitoring - New Native Tools for Monitoring your Sp...Splunk conf2014 - Splunk Monitoring - New Native Tools for Monitoring your Sp...
Splunk conf2014 - Splunk Monitoring - New Native Tools for Monitoring your Sp...
Splunk
 
OSGi Community Updates 2012
OSGi Community Updates 2012OSGi Community Updates 2012
OSGi Community Updates 2012
Christian Baranowski
 
Distributed OSGi Demo Eclipsecon 2009
Distributed OSGi Demo Eclipsecon 2009Distributed OSGi Demo Eclipsecon 2009
Distributed OSGi Demo Eclipsecon 2009
David Bosschaert
 
OSGi-enabled Java EE Applications using GlassFish at JCertif 2011
OSGi-enabled Java EE Applications using GlassFish at JCertif 2011OSGi-enabled Java EE Applications using GlassFish at JCertif 2011
OSGi-enabled Java EE Applications using GlassFish at JCertif 2011
Arun Gupta
 
Контроль зверей: инструменты для управления и мониторинга распределенных сист...
Контроль зверей: инструменты для управления и мониторинга распределенных сист...Контроль зверей: инструменты для управления и мониторинга распределенных сист...
Контроль зверей: инструменты для управления и мониторинга распределенных сист...
yaevents
 

Más contenido relacionado

Similar a Sakai Amsterdam 130607

Session 49 - Semantic metadata management practical
Session 49 - Semantic metadata management practical Session 49 - Semantic metadata management practical
Session 49 - Semantic metadata management practical
ISSGC Summer School
 
Session 49 Practical Semantic Sticky Note
Session 49 Practical Semantic Sticky NoteSession 49 Practical Semantic Sticky Note
Session 49 Practical Semantic Sticky Note
ISSGC Summer School
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Christian Frichot
 
A Fault Tolerance Concept for Distributed OSGi Applications - Fabian Meyer
A Fault Tolerance Concept for Distributed OSGi Applications - Fabian MeyerA Fault Tolerance Concept for Distributed OSGi Applications - Fabian Meyer
A Fault Tolerance Concept for Distributed OSGi Applications - Fabian Meyer
mfrancis
 
Контроль зверей: инструменты для управления и мониторинга распределенных сист...
Контроль зверей: инструменты для управления и мониторинга распределенных сист...Контроль зверей: инструменты для управления и мониторинга распределенных сист...
Контроль зверей: инструменты для управления и мониторинга распределенных сист...
yaevents
 

Similar a Sakai Amsterdam 130607 (20)

Session 49 - Semantic metadata management practical
Session 49 - Semantic metadata management practical Session 49 - Semantic metadata management practical
Session 49 - Semantic metadata management practical
 
Everything you wanted to know, but were afraid to ask about Oozie
Everything you wanted to know, but were afraid to ask about OozieEverything you wanted to know, but were afraid to ask about Oozie
Everything you wanted to know, but were afraid to ask about Oozie
 
Session 49 Practical Semantic Sticky Note
Session 49 Practical Semantic Sticky NoteSession 49 Practical Semantic Sticky Note
Session 49 Practical Semantic Sticky Note
 
Status update OEG - Nov 2012
Status update OEG - Nov 2012Status update OEG - Nov 2012
Status update OEG - Nov 2012
 
JISC CNI Meeting, Edinburgh 2010
JISC CNI Meeting, Edinburgh 2010JISC CNI Meeting, Edinburgh 2010
JISC CNI Meeting, Edinburgh 2010
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012
 
IKS early adopters workshop - introducing FISE
IKS early adopters workshop - introducing FISEIKS early adopters workshop - introducing FISE
IKS early adopters workshop - introducing FISE
 
Gf University 27may09 Amersfoort
Gf University 27may09 AmersfoortGf University 27may09 Amersfoort
Gf University 27may09 Amersfoort
 
A Fault Tolerance Concept for Distributed OSGi Applications - Fabian Meyer
A Fault Tolerance Concept for Distributed OSGi Applications - Fabian MeyerA Fault Tolerance Concept for Distributed OSGi Applications - Fabian Meyer
A Fault Tolerance Concept for Distributed OSGi Applications - Fabian Meyer
 
Using the Splunk Java SDK
Using the Splunk Java SDKUsing the Splunk Java SDK
Using the Splunk Java SDK
 
GlassFish OSGi Server
GlassFish OSGi ServerGlassFish OSGi Server
GlassFish OSGi Server
 
A Provenance-Aware Linked Data Application for Trip Management and Organization
A Provenance-Aware Linked Data Application for Trip Management and OrganizationA Provenance-Aware Linked Data Application for Trip Management and Organization
A Provenance-Aware Linked Data Application for Trip Management and Organization
 
FishEye - Source Code Explore and more - Brief
FishEye - Source Code Explore and more - BriefFishEye - Source Code Explore and more - Brief
FishEye - Source Code Explore and more - Brief
 
Apache, osgi and karaf par Guillaume Nodet
Apache, osgi and karaf par Guillaume NodetApache, osgi and karaf par Guillaume Nodet
Apache, osgi and karaf par Guillaume Nodet
 
GlassFish BOF
GlassFish BOFGlassFish BOF
GlassFish BOF
 
Splunk conf2014 - Splunk Monitoring - New Native Tools for Monitoring your Sp...
Splunk conf2014 - Splunk Monitoring - New Native Tools for Monitoring your Sp...Splunk conf2014 - Splunk Monitoring - New Native Tools for Monitoring your Sp...
Splunk conf2014 - Splunk Monitoring - New Native Tools for Monitoring your Sp...
 
OSGi Community Updates 2012
OSGi Community Updates 2012OSGi Community Updates 2012
OSGi Community Updates 2012
 
Distributed OSGi Demo Eclipsecon 2009
Distributed OSGi Demo Eclipsecon 2009Distributed OSGi Demo Eclipsecon 2009
Distributed OSGi Demo Eclipsecon 2009
 
OSGi-enabled Java EE Applications using GlassFish at JCertif 2011
OSGi-enabled Java EE Applications using GlassFish at JCertif 2011OSGi-enabled Java EE Applications using GlassFish at JCertif 2011
OSGi-enabled Java EE Applications using GlassFish at JCertif 2011
 
Контроль зверей: инструменты для управления и мониторинга распределенных сист...
Контроль зверей: инструменты для управления и мониторинга распределенных сист...Контроль зверей: инструменты для управления и мониторинга распределенных сист...
Контроль зверей: инструменты для управления и мониторинга распределенных сист...
 

Sakai Amsterdam 130607

  • 1. Guanxi LUO eHx eI d s Federation With The Guanxi Shibb Kit Sakai Conference, Amsterdam June 13th 2007 Alistair Young Senior Software Engineer Àrd-Innleadair air Bathar-bog UHI@Sabhal Mòr Ostaig
  • 3. Guanxi On the menu today LUO “I hope sir is hungry” eHx eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
  • 4. Guanxi Hors d’oeuvres LUO “who are those strange users in my system?” eHx shibboleth admin eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
  • 5. Guanxi What is Guanxi? LUO eHx “...you scratch my back, I’ll scratch yours” eI d s In the Chinese business world, “Guanxi” is understood as the network of relationships among various parties that cooperate and support one another Guanxi has three main objectives: To implement the Shibboleth 1.2 specification into a WS architecture and within a VLE To extend and develop intra/inter-institutional AA functions To create and use Shibboleth federations
  • 6. Guanxi The Guanxi Project LUO eHx eI d s UK JISC funded Core Middleware Project Collaboration: UHI Millennium Institute (lead partner) University of Leeds University of Oxford Core Guanxi IdP SP WAYF
  • 7. Guanxi The Guanxi Project LUO eHx eI d Who is GuanXi? (i.e., who to blame...) s
  • 8. Guanxi A Wee Bit Of Grammar LUO “To Shibb or not to Shibb, that is the question...” eHx Shakespeare, apparently eI d s Introducing the verb, to shibb To bang one’s head repeatedly against a hard surface To age prematurely To curse PKI To hallucinate and drool for a metadata editor Finally, to let anyone and their dog into your systems!
  • 9. Guanx Web Service Enabled Service LUO i Provider eHx eI Federation server d s 6 Institutional user@org1 accesses resource at org2 1 SP 2 8 Filter sets up WS-Callback with SP 2 3 Filter redirects to federation WAYF 3 WAYF Filter 9 Webapp 1 User’s SSO authenticates them 4 4 SSO replies to federation SP 5 Resource specific Federation SP requests attributes on 6 modules behalf of filter (A/C) User’s AA sends attributes to org 2 Server 7 federation SP org1 IdP Federation SP invokes WS-Callback to 8 filter which retrieves it’s attribute request data 5 SSO Filter makes access decision based on 9 7 attributes gathered by the federation SP AA Distributed architecture Institutional SAML Server, satellite Guards Can scale SAML servers to balance load
  • 10. Guanxi Starter LUO eHx eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
  • 11. Guanxi Identity Provider LUO “I am, therefore my IdP knows about me...” eHx Famous philosopher eI d s It’s the Identity Provider’s job to: Get you authenticated, somehow, anyhow Release attributes about you, affiliation, membership etc. Authentication is out of scope of the Shibboleth profile Do it any way you want! LDAP, JDBC, Secret handshake while standing on one leg with trouser leg rolled up! Attributes can be gathered from multiple stores Get them from eDirectory, Active Directory, VLE Guanxi aggregates and “SAMLises” them Only released subject to Attribute Release Policy (ARP)
  • 12. Guanxi What is integration? LUO “how many webapps can a web.xml withstand?” eHx 17th century childrens rhyme eI d s IdP can be standalone, linked to backend systems SP oriented. Users authenticate when they access a remote, shibbed resource Confusing if they have already logged in to institutional portal or VLE. Why authenticate twice? Or it can be embedded in an institutional application... ...VLE, Portal, Identity Management System etc. IdP oriented. Users authenticate once, in the VLE and access shibbed resources seamlessly VLE already linked to backend systems Introduces the concept of “logging in to your IdP” Log in first thing, ready to shibb all day
  • 13. Guanxi Mapping attributes LUO eHx “You’re not putting that in there...” eI our Novell admin d JISC UK federation mandates use of eduPerson s But we don’t have eduPerson support in our eDirectory Our admin jumps up and down when we ask for it “oh yes, you’re asking for it allright”, he shouts! Not to worry. Guanxi IdP will map any attribute to any other An example is Athens “userRole” attribute. We don’t have it in eDirectory either. So we map our users’ LDAP DN to their userRole Bodington uses the Guanxi IdP to map it’s internal membership roles to eduPerson Sakai can now map its User object to eduPerson attributes and release them
  • 14. Guanxi Sakai + Guanxi LUO eHx A Shibboleth compatible Virtual Learning Environment eI d s Sakai VLE with embedded Guanxi IdP Guanxi SP True SSO Athens Sakai as Gx Shibb Gateway IdP Shibboleth Minimal configuration - self-signed certs are SP auto generated User and Group information exposed as eduPerson attributes by Guanxi Can login to your IdP to create users and manage their access rights
  • 15. Guanxi Single Sign On LUO “I have too many passwords!” eHx a user eI d s SSO means different things to different people Used to mean Single username/password. Still had to authenticate multiple times Starting to mean just what it says on the tin Login once and middleware takes care of the multiple authentication problem But you need an integrated IdP to get true SSO Shibboleth disappears. Users never see the IdP. All they see is their VLE or Portal login page, once
  • 16. Guanxi Main course LUO eHx eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
  • 17. Guanxi Guanxi Shibb Kit (GSK) LUO eHx eI d s Shibboleth is complementary to normal Sakai operation Works with Sakai 2.4+ Self contained in /portal-shibb portal Does not replace any Sakai authentication/authorisation features Shibb portal is a holding area while users are authenticated by their Identity Provider and their attributes retrieved from their Attribute Authority When they pass muster, a Pod is constructed with their SAML attributes and acts as a store for Guanxi UserDirectoryProvider and GroupProvider Pods are persisted so shibb user always “there” in Sakai, subject to SAML attribute lifetimes
  • 18. Guanxi Promotion to /portal LUO eHx eI d s Once a user has a valid Pod, the Shibb portal “logs them in” to Sakai and redirects them to the main portal The Shibb portal requires the main Sakai to be using the federated versions of the User and Group providers: FilterUserDirectoryProvider FilterGroupProvider Pod acts as a UserDirectoryProvider and GroupProvider, using it’s SAML attributes and their TTLs Once the user is kitted out with a Sakai profile courtesy of the GSK, they are free to wander around Sakai as normal, with their Pod acting as their information provider
  • 19. Guanxi One stop shibb shop LUO say that when you’re drunk! eHx eI d s /portal-shibb Service Provider Guard Engine IdP WAYF All Shibboleth functionality in one place Enabled/disabled by setting in sakai.properties Shibb portal contains everything Sakai needs to work in a Shibboleth federation Does not require Apache, only a servlet container e.g. Tomcat
  • 20. Guanxi GSK Architecture LUO eHx Authenticate eI IdP d Attributes s Guard Engine /portal-shibb Remote user PodUserDirectoryProvider PodGroupProvider Browser redirects Guanxi LDAPUserDirectoryProvider LDAPGroupProvider Normal Sakai FilterUserDirectoryProvider FilterGroupProvider /portal worksite tools Normal Sakai User
  • 21. Guanxi Embedded IdP LUO eHx Attribute queries /portal-shibb/AA IdP eI Auth requests d /portal-shibb/SSO s SakaiCookieHandler SakaiAuthenticator SakaiAttributor mapper SakaiAuthenticator delegates to Sakai authentication system SakaiAttributor uses Sakai for user information SakaiCookieHandler traps authentication requests Only need to login once to access multiple SPs IdP’s mapper changes Sakai attributes to any other attributes
  • 22. Guanxi Embedded SP LUO eHx Sakai #1 eI d /portal-shibb/gx User requests s Guard /portal-shibb/guard.* Authn Sakai #2 WAYF Attributes WAYF? Authz Engine /portal-shibb/engine.* Fully self contained. Sakai has a Guard and Engine Guard blocks requests to /portal-shibb/gx Guard is a holding pen for users while they are authenticated by their IdP, which could be another Sakai. SAML Engine takes care of all Shibboleth and SAML functionality
  • 23. Guanxi External SAML Engine LUO eHx http://sakaiproject.org/samlengine eI d s Guanxi SAML Engine Normal Sakai Guard Guard Guard Guard Sakai Sakai Sakai Sakai Rather than each Sakai instance having its own SAML Engine with its maintenance and configuration overhead Central SAML Engine, hosted by sakaiproject Each Sakai Guard configured to talk to sakaiproject.org Engine Sakai instances do not need to know about SAML or Shibboleth
  • 24. Guanxi Pudding - indigestion LUO eHx eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
  • 25. Guanxi In the pipeline LUO eHx eI d s Shibboleth tool to provide configuration GUI Expose individual Sakai tools as Shibboleth Service Providers Allow tools to specify which attributes they require for access Enhance the Sakai providers to allow proper internal federation Each UDP knows which users belong to it No need to search the chain of providers
  • 26. Guanxi Chucking out time LUO one more waffer theen meent, sir? eHx eI d s Guanxi project website - http://www.guanxi.uhi.ac.uk/wiki GSK documentation - http://www.guanxi.uhi.ac.uk/drguanxi/index.php/ Sakai_Guanxi_Shibb_Kit The GSK is in contrib Guanxi mailing list - guanxi-development@lists.sourceforge.net Email - alistair@smo.uhi.ac.uk