AAI with simple SAMLphp Marina Vermezović Academic Network

AAI with simple. SAMLphp Marina Vermezović Academic Network of Serbia -AMRES EIFL, 15. 12. 2011.

Content AAI and Federated Identity simple. SAMLphp Federation structures AMRES AAI deployment Akademska mreža Srbije www. amres. ac. rs 2

Let’s make a start point If you want to: You need to: How do you do this: Akademska mreža Srbije www. amres. ac. rs 3

Let’s make a start point If you want to: offer web services – e-books, e-magazines You need to: How do you do this: Akademska mreža Srbije www. amres. ac. rs 4

Let’s make a start point If you want to: offer web services – e-books, e-magazines You need to: Control access to those web services Make services user personalized How do you do this: Akademska mreža Srbije www. amres. ac. rs 5

Let’s make a start point If you want to: offer web services – e-books, e-magazines You need to: Control access to those web services Make services user personalized How do you do this: Authentication - who is your user? Authorization - what she can do? AAI - Authentication and authorization infrastructure makes access to protected services easier Akademska mreža Srbije www. amres. ac. rs 6

Without AAI Faculty A Service Providers wireless videoconference e-learning Student portal Library B Service Providers wireless e-books Akademska mreža Srbije www. amres. ac. rs 7

Without AAI Faculty A Service Providers Auth wireless videoconference e-learning Student portal Library B Service Providers wireless e-books Akademska mreža Srbije www. amres. ac. rs 8

Without AAI Faculty A Service Providers Auth Autz wireless videoconference e-learning Student portal Library B Service Providers wireless e-books Akademska mreža Srbije www. amres. ac. rs 9

Without AAI Faculty A Service Providers Auth Autz wireless Auth Autz videoconference e-learning Student portal Library B Service Providers wireless e-books Akademska mreža Srbije www. amres. ac. rs 10

Without AAI Faculty A Service Providers Auth Autz wireless Auth Autz videoconference Auth Autz e-learning Auth Autz Student portal Library B Service Providers Auth wireless Auth Akademska mreža Srbije www. amres. ac. rs Autz e-books 11

With AAI Faculty A Service Providers wireless videoconference e-learning Student portal Library Service Providers wireless e-books Akademska mreža Srbije www. amres. ac. rs

With AAI Faculty A Service Providers wireless Identity provider Identity Management videoconference e-learning Student portal Library Service Providers wireless e-books Akademska mreža Srbije www. amres. ac. rs

With AAI Faculty A Service Providers wireless videoconference Identity provider Identity Management A u t h e-learning Student portal Library Service Providers wireless e-books Akademska mreža Srbije www. amres. ac. rs

With AAI Faculty A Service Providers wireless videoconference Identity provider Identity Management A u t h e-learning Student portal Library Service Providers wireless e-books Akademska mreža Srbije www. amres. ac. rs

With AAI Faculty A Service Providers Autz videoconference Autz Identity provider Identity Management wireless A u t h Autz e-learning Autz Student portal Library Service Providers Autz Akademska mreža Srbije www. amres. ac. rs wireless e-books

AAI Architecture and Roles Federation operator Identity Provider Akademska mreža Srbije www. amres. ac. rs Service Provider

AAI Architecture and Roles Federation operator Identity Provider • • Identity Management Authentication Release of user Attributes Preserving user privacy Akademska mreža Srbije www. amres. ac. rs Service Provider

AAI Architecture and Roles Federation operator Identity Provider • • Identity Management Authentication Release of user Attributes Preserving user privacy Akademska mreža Srbije www. amres. ac. rs Service Provider • Controls Access to resource • Authorization • Personalized user service

AAI Architecture and Roles • Defines technologies used • Admits Id. Ps and SPs to federation –provides metadata • Can provide some of federation services centrally: • • • Discovery Service Metadata management SSO, SLO, consent, Attribute Handling Federation operator Identity Provider • • Identity Management Authentication Release of user Attributes Preserving user privacy Akademska mreža Srbije www. amres. ac. rs Service Provider • Controls Access to resource • Authorization • Personalized user service

AAI Architecture and Roles • Defines technologies used • Admits Id. Ps and SPs to federation –provides metadata • Can provide some of federation services centrally: • • • CIRCLE OF TRUST Discovery Service Metadata management SSO, SLO, consent, Attribute Handling Federation operator Identity Provider • • Identity Management Authentication Release of user Attributes Preserving user privacy Akademska mreža Srbije www. amres. ac. rs Service Provider • Controls Access to resource • Authorization • Personalized user service

Decide for technology and software De-facto standard in Academic identity federations: SAML Software: Shibboleth Created by Internet 2 (U. S. ) Id. P: Java, needs Tomcat SP: C++, Apache module Simple. SAMLphp Created by UNINETT (Norway) Both Id. P and SP, written in PHP Akademska mreža Srbije www. amres. ac. rs 22

Simple. SAMLphp What are key-point simple. SAMLphp functionalities ? Let’s see what simple. SAMLphp can do from an example of user accessing web service. . Akademska mreža Srbije www. amres. ac. rs 23

SP point of view. . – protect Access Allows access to resource only to legitimate users Akademska mreža Srbije www. amres. ac. rs 24

SP point of view. . – Id. P Discovery Before redirecting user to its Id. P, SP needs to discover what is a user’s Id. P With simple. SAMLphp you can: Implement centralized discovery service by Federation Operator Akademska mreža Srbije www. amres. ac. rs 25

SP point of view. . – Id. P Discovery Before redirecting user to its Id. P, SP needs to discover what is a user’s Id. P With simple. SAMLphp you can: Implement centralized discovery service by Federation Operator Implement built-in discovery service on SP side; works by displaying Id. P entries from metadata Akademska mreža Srbije www. amres. ac. rs 26

Idp point of view. . - Authentication User is redirected to Id. P site, where she is asked to enter u/p Thus process of authentication is started Akademska mreža Srbije www. amres. ac. rs 27

Idp point of view. . - Authentication When Id. P gets u/p, Id. P must authenticate user against some database Authentication methods that come with simple. SAMLphp distribution: LDAP SQL RADIUS List of username/password Open ID, Facebook, Tweeter, My. Space, Linked. In, . . … If you don’t find your authentication source on the list, you can make custom authentication module Akademska mreža Srbije www. amres. ac. rs 28

Idp point of view. . - Identity Management Regardless in which database user Identities are stored, it is important that data about user is correct Id. M : set of procedures and rules which define: 1. 2. 3. 4. 5. Who has the right to own digital identity When is digital identity assigned to a person How is digital identity maintained How is the digital identity used How is the digital identity terminated Must comply with national personal data protection law EU Data Protection Directive Akademska mreža Srbije www. amres. ac. rs 29

Idp point of view. . - Attribute Release After user is authenticated, Id. P can release some attributes about user to SP But some principles are important ! General rules: release only attributes which SP really needs release attributes upon pre-agreed syntax (schemas) With simple. SAMLphp, Id. P can : • Filter out a subset of available attributes that are sent to a SP • Modify name or values of attributes • Add new attributes • Generate new attributes that are composed of others Akademska mreža Srbije www. amres. ac. rs 30

Idp point of view. . - Consent Before Attribute Release, Id. P can ask user about consent for releasing user ‘s data This is very important from the perspective of national and international laws about protection of users data EU Data Protection Directive: Consent—data should not be disclosed without the data subject’s consent; Akademska mreža Srbije www. amres. ac. rs 31

Idp point of view. . - Consent module is available in simple. SAMLphp Akademska mreža Srbije www. amres. ac. rs 32

SP point of view. . - Attribute processing Attributes help SP to: Make authorization decisions Students/employees have different permissions Akademska mreža Srbije www. amres. ac. rs 33

SP point of view. . - Attribute processing Attributes help SP to: Make authorization decisions Students/employees have different permissions Make personalized services to users SP needs persistent user Id so he can save users preferences Akademska mreža Srbije www. amres. ac. rs 34

SP point of view. . - Attribute processing Attributes help SP to: Make authorization decisions Students/employees have different permissions Make personalized services to users SP needs persistent user Id so he can save users preferences User gets some additional service SP needs users e-mail address to send e-mail notifications Akademska mreža Srbije www. amres. ac. rs 35

Decide for Federation architecture 3 possibilities: Full mesh Centralized Hub and spoke Choosing one is very important because it heavily depends on state institutions are in. . Akademska mreža Srbije www. amres. ac. rs 36

Full mesh Auth Identity Provider Federation operator Federation metadata Discovery service Atr. Filt. Consent SSO, SLO Identity Management Institution A Discovery Service Autz Service Provider Institution B 37

Full mesh Auth Identity Provider Federation metadata Discovery service Atr. Filt. Consent SSO, SLO Discovery Service Autz Identity Management Institution A Auth Identity Provider Federation operator Atr. Filt. Consent SSO, SLO Service Provider Institution B Discovery Service Autz Service Provider Institution D Identity Management Akademska mreža Srbije www. amres. ac. rs Institution C 38

Hub and spoke Identity Provider Auth Identity Management Institution A Federation operator Discovery service Federation metadata Discovery Service Autz Service Provider Institution B Atr. Filt. Consent SSO, SLO 39

Hub and spoke Identity Provider Auth Federation operator Identity Management Institution A Identity Provider Discovery service Federation metadata Atr. Filt. Auth Identity Management Consent SSO, SLO Discovery Service Autz Service Provider Institution B Discovery Service Autz Service Provider Institution D Institution C 40

Centralized Federation operator Discovery service Discovery Service Autz Identity Management Institution A Federation metadata Auth Identity Provider Atr. Filt. Service Provider Institution B Consent SSO, SLO Akademska mreža Srbije www. amres. ac. rs 41

Centralized Federation operator Discovery service Identity Management Institution C Discovery Service Autz Identity Management Institution A Federation metadata Auth Identity Provider Atr. Filt. Consent SSO, SLO Service Provider Institution B Discovery Service Autz Service Provider Institution D Akademska mreža Srbije www. amres. ac. rs 42

AMRES AAI What was our start point: Institution administrators have less knowledge Institutions have different databases => no centralized federation No institution has its own SSO We decided for: simple. SAMLphp Full-mesh with making it as much as possible lightweight: metadata management tool, attribute release recommendations, . . . Akademska mreža Srbije www. amres. ac. rs 43

AMRES AAI We have set-up test environment Next steps: Make hands-on workshop with few chosen institutions which will continue in PILOT AAI Get experiences in PILOT, evaluate chosen solution, make some changes if needed Start PRODUCTION, continue with workshops Get /deploy new user services which would attract institutions Akademska mreža Srbije www. amres. ac. rs 44

Thank you for your attention Questions ? or write to marina. vermezovic@rcub. bg. ac. rs Akademska mreža Srbije www. amres. ac. rs 45