Shibboleth NTU

1
Shibboleth _at_ NTU

• Francis Lowry
• Information Systems
• Nottingham Trent University
• francis.lowry_at_ntu.ac.uk

2
Overview

• Shibboleth infrastructure using Windows servers,
  authenticating to Active Directory, sourcing
  attributes from a SQL Server database.
• Background and approach.
• Shibboleth
• Technical requirements and resources
• Installation files and documentation
• This is not a deep technical presentation ?

3
Nottingham Trent University

• Approx 25k FTE on three sites.
• Heterogeneous mix of technologies.
• Primarily Windows XP desktops.
• Single Active Directory for organisation.
• Single email system Exchange.
• Centralised Information Systems team with some
  satellite local support functions.

4
Current Work

• JISC Funded CV Builder service.
• Web based CV Builder service using Shibboleth as
  the authentication mechanism
• 2 Year Project October 06 to October 08.
• Partners New College Nottingham West
  Nottinghamshire College
• Ancillary Outputs
• Shibboleth on Windows
• Training Material
• Documentation
• Bilateral Deployment (Linux)
• Documentation VMWare Images

5
What is Shibboleth?

• Architecture based on the SAML specification
  enabling secure local Authentication, providing
  Authorisation by the release of specific
  information (attributes) to enable access to
  trusted remote services within a Federation.
• Authentication
• Proving you are who you say you are, i.e. Active
  Directory username and password.
• Authorisation
• Allowing access to resources is managed by
  restricting access to groups of users whose
  originating organisation asserts specific
  information about them e.g. Joe Bloggs is a
  student at Nottingham Trent University, by
  releasing an agreed value of specific attributes.
• Federation
• At its simplest level, a circle of trust with an
  agreed set of rules which enables this degree of
  trust.

6
What are Attributes?

• Simply pieces of information associated with a
  user which can be used to provide access to
  resources.
• UK Federation define 4 core attributes that need
  to be released as part of federation membership.
• eduPersonTargetedID
• JBxMwF5rsKXG8CQCQ9VCJsvvww0_at_ntu.ac.uk
• eduPersonPrincipalName
• mis3lowryfj_at_ntu.ac.uk
• eduPersonEntitlement
• Science, urnmaceexample.eduexampleEntitlement,
  Library Visitor .
• eduPersonScopedAffiliation
• staff_at_ntu.ac.uk

7
Shibboleth Terminology

• Identity Provider (IdP)
• Releases specific information about a user to
  specific services to provide authorised access.
• This is the only requirement for participation in
  the UK Federation!
• Service Provider (SP)
• Used to protect web resources e.g. Moodle, and
  restrict access to other organisations using
  Shibboleth.
• Where are you from? gateway (WAYF)
• Mechanism to allow a user to tell a service
  provider where to go to get their credentials.

8
Shibboleth pre-requisites

• Local Web single sign-on framework
• Central authentication source e.g. LDAP / Active
  Directory, Database.
• Attribute store e.g. LDAP / Active Directory /
  Database.
• SSL Certificates for IdP and SP.
• Specific ports open on firewall (80, 443, 8443)
• Server domain names resolve correctly externally.

9
Environment _at_ NTU

• No web single sign-on framework
• For simplicity we adopted CAS (http//www.ja-sig.o
  rg/wiki/display/CAS/Home)
• Single directory for authentication.
• Active Directory already in place.
• No Attribute store.
• Sourced attributes from very simple tables in a
  small SQL Server database.

10
Initial installation approach

• Customised Installation script K.E.Leuven
• Automated
• Quick
• Tomcat acting as Web Server
• Sourcing attributes from Active Directory
• However
• No clear understanding of the interdependencies
  of the different components.
• Assumes understanding of the component
  technologies.
• NTU Rules for Active Directory population not
  aligned with UK Federation membership.

11
Current Approach

• Apache Web Server for IdP.
• Component based installation i.e. one small step
  at a time.
• Fully documented
• No previous experience required in the
  technologies.
• Authentication remains with Active Directory.
• Attributes sourced from SQL Server.
• Simpler to maintain than Active Directory
  attributes
• No requirement to change AD Schema
• No impact on other business processes
• Can conform to UK Federation membership i.e. not
  release attributes for students who have
  completed, and staff who have left.

12
NTU Shibboleth Architecture

• 2 servers
• shibidp.ntu.ac.uk
• shibsp.ntu.ac.uk
• Dual processor machines, mirrored disks 2GB RAM,
  MS Windows 2003 Server. Very low load
• IdP
• Apache
• Java
• Tomcat with SQL Server JDBC driver added
• CAS 3 server
• Shibboleth with CAS 2 Client
• SP
• IIS 6
• Shibboleth with ISAPI filter
• Tomcat (for Confluence Wiki)

13
Skills required

• Knowledge of Active Directory Administration
• This is to provide the connection details to
  configure CAS to connect to Active Directory via
  LDAP.
• SQL
• Source attribute data from SQL Server tables
• JDBC configuration
• Confidence to hack xml configuration files
• Web Server administration knowledge
• In particular SSL Certificates
• Knowledge of Apache, Java Tomcat an advantage,
  but not a requirement

14
What do you really need?

• Identity Provider
• Single server basic server spec.
• Windows 2003 standard.
• External DNS name
• Ports 80, 443 8443 opened through firewall for
  both incoming and outgoing traffic.
• SSL Certificate for Web server and Shibboleth
  traffic Janet connected organisations may want
  to avail of the free certificates available at
  JANET SCS

15
Problem areas !

• SSL configuration with Apache, Java, Tomcat, CAS,
  and Shibboleth.
• This is the main problem area!
• Attribute mappings where do you source the data
  from?
• Debugging Shibboleth errors can be problematic.
• DNS Entries Ports opened.

16
Resources to assist you

• TESTSHIB (https//www.testshib.org/testshib-reg/in
  dex.jsp )
• Shibboleth Wiki (https//authdev.it.ohio-state.edu
  /twiki/bin/view/Shibboleth/WebHome)
• Shibboleth_at_Internet2 (http//shibboleth.internet2.
  edu/support.html)
• NTU work on Shibboleth
• (http//shibsp.ntu.ac.uk/confluence).
• CD
• Full export (HTML) of documents
• Docs from NTU.
• Presentation
• n.b. does not contain latest bug-fix for
  Shibboleth IdP.

17
TESTSHIB

• Internet2 Test Federation.
• Register IdPs and SPs
• Safely test virtually all components of
  Shibboleth
• Debug changes before applying them to your
  production environment.
• Excellent resource.
• Clear configuration guides.
• NTU Training notes rely on TESTSHIB.

18
NTU Training environment

• Windows 2003 Server
• 5 VMWare Images W2003 Standard edition.
• TESTIDP1 TESTIDP5
• Names correctly resolve externally
• Ports opened
• Uses TESTSHIB as Federation
• TESTSHIB login account pre-created
• Certificates pre-generated
• Active Directory for Authentication
• SQL Server for simple attribute store
• C\Install folder pre-configured

19
Finally

• The release of Shibboleth version 2 is imminent
  i.e. it is in its final test version with the
  first production version due in the next month or
  so
• However, the documentation as always will take a
  while to catch up.
• Shibboleth 1.3 can co-exist with 2.0.

20
Any Questions