Контроль зверей: инструменты для управления и мониторинга распределенных сист...
Sakai Amsterdam 130607
1. Guanxi
LUO
eHx
eI
d
s
Federation With The Guanxi Shibb Kit
Sakai Conference, Amsterdam
June 13th 2007
Alistair Young
Senior Software Engineer
Àrd-Innleadair air Bathar-bog
UHI@Sabhal Mòr Ostaig
3. Guanxi On the menu today
LUO
“I hope sir is hungry”
eHx
eI
d
s
The Guanxi Project overview
What does integration mean for an IdP?
The Guanxi Shibb Kit
Wrapping up
Questions
4. Guanxi Hors d’oeuvres
LUO
“who are those strange users in my system?”
eHx
shibboleth admin
eI
d
s
The Guanxi Project overview
What does integration mean for an IdP?
The Guanxi Shibb Kit
Wrapping up
Questions
5. Guanxi What is Guanxi?
LUO
eHx
“...you scratch my back, I’ll scratch yours”
eI
d
s
In the Chinese business world, “Guanxi” is understood as the network of
relationships among various parties that cooperate and support one
another
Guanxi has three main objectives:
To implement the Shibboleth 1.2 specification into a WS architecture
and within a VLE
To extend and develop intra/inter-institutional AA functions
To create and use Shibboleth federations
6. Guanxi The Guanxi Project
LUO
eHx
eI
d
s
UK JISC funded Core Middleware Project
Collaboration:
UHI Millennium Institute (lead partner)
University of Leeds
University of Oxford
Core Guanxi
IdP SP WAYF
7. Guanxi The Guanxi Project
LUO
eHx
eI
d
Who is GuanXi? (i.e., who to blame...)
s
8. Guanxi A Wee Bit Of Grammar
LUO
“To Shibb or not to Shibb, that is the question...”
eHx
Shakespeare, apparently
eI
d
s
Introducing the verb, to shibb
To bang one’s head repeatedly against a hard surface
To age prematurely
To curse PKI
To hallucinate and drool for a metadata editor
Finally, to let anyone and their dog into your systems!
9. Guanx Web Service Enabled Service
LUO
i Provider
eHx
eI
Federation server
d
s 6
Institutional user@org1 accesses resource at org2
1
SP
2 8
Filter sets up WS-Callback with SP
2
3
Filter redirects to federation WAYF
3
WAYF
Filter 9 Webapp
1 User’s SSO authenticates them
4
4
SSO replies to federation SP
5
Resource
specific Federation SP requests attributes on
6
modules behalf of filter
(A/C)
User’s AA sends attributes to
org 2 Server 7
federation SP
org1 IdP Federation SP invokes WS-Callback to
8
filter which retrieves it’s attribute
request data
5
SSO
Filter makes access decision based on
9
7 attributes gathered by the federation
SP
AA
Distributed architecture
Institutional SAML Server, satellite Guards
Can scale SAML servers to balance load
10. Guanxi Starter
LUO
eHx
eI
d
s
The Guanxi Project overview
What does integration mean for an IdP?
The Guanxi Shibb Kit
Wrapping up
Questions
11. Guanxi Identity Provider
LUO
“I am, therefore my IdP knows about me...”
eHx
Famous philosopher
eI
d
s
It’s the Identity Provider’s job to:
Get you authenticated, somehow, anyhow
Release attributes about you, affiliation, membership etc.
Authentication is out of scope of the Shibboleth profile
Do it any way you want! LDAP, JDBC, Secret handshake
while standing on one leg with trouser leg rolled up!
Attributes can be gathered from multiple stores
Get them from eDirectory, Active Directory, VLE
Guanxi aggregates and “SAMLises” them
Only released subject to Attribute Release Policy (ARP)
12. Guanxi What is integration?
LUO
“how many webapps can a web.xml withstand?”
eHx
17th century childrens rhyme
eI
d
s
IdP can be standalone, linked to backend systems
SP oriented. Users authenticate when they access a
remote, shibbed resource
Confusing if they have already logged in to
institutional portal or VLE. Why authenticate twice?
Or it can be embedded in an institutional application...
...VLE, Portal, Identity Management System etc.
IdP oriented. Users authenticate once, in the VLE
and access shibbed resources seamlessly
VLE already linked to backend systems
Introduces the concept of “logging in to your IdP”
Log in first thing, ready to shibb all day
13. Guanxi Mapping attributes
LUO
eHx “You’re not putting that in there...”
eI our Novell admin
d
JISC UK federation mandates use of eduPerson
s
But we don’t have eduPerson support in our
eDirectory
Our admin jumps up and down when we ask for it
“oh yes, you’re asking for it allright”, he shouts!
Not to worry. Guanxi IdP will map any attribute
to any other
An example is Athens “userRole” attribute. We
don’t have it in eDirectory either. So we map
our users’ LDAP DN to their userRole
Bodington uses the Guanxi IdP to map it’s
internal membership roles to eduPerson
Sakai can now map its User object to eduPerson
attributes and release them
14. Guanxi Sakai + Guanxi
LUO
eHx
A Shibboleth compatible Virtual Learning Environment
eI
d
s
Sakai VLE with embedded Guanxi IdP Guanxi
SP
True SSO
Athens
Sakai as
Gx Shibb Gateway
IdP
Shibboleth
Minimal configuration - self-signed certs are
SP
auto generated
User and Group information exposed as eduPerson attributes by Guanxi
Can login to your IdP to create users and manage their access rights
15. Guanxi Single Sign On
LUO
“I have too many passwords!”
eHx
a user
eI
d
s
SSO means different things to different people
Used to mean Single username/password. Still
had to authenticate multiple times
Starting to mean just what it says on the tin
Login once and middleware takes care of the
multiple authentication problem
But you need an integrated IdP to get true SSO
Shibboleth disappears. Users never see the IdP.
All they see is their VLE or Portal login page,
once
16. Guanxi Main course
LUO
eHx
eI
d
s
The Guanxi Project overview
What does integration mean for an IdP?
The Guanxi Shibb Kit
Wrapping up
Questions
17. Guanxi Guanxi Shibb Kit (GSK)
LUO
eHx
eI
d
s
Shibboleth is complementary to normal Sakai operation
Works with Sakai 2.4+
Self contained in /portal-shibb portal
Does not replace any Sakai authentication/authorisation features
Shibb portal is a holding area while users are authenticated by
their Identity Provider and their attributes retrieved from their
Attribute Authority
When they pass muster, a Pod is constructed with their SAML
attributes and acts as a store for Guanxi UserDirectoryProvider
and GroupProvider
Pods are persisted so shibb user always “there” in Sakai, subject
to SAML attribute lifetimes
18. Guanxi Promotion to /portal
LUO
eHx
eI
d
s
Once a user has a valid Pod, the Shibb portal “logs them in” to
Sakai and redirects them to the main portal
The Shibb portal requires the main Sakai to be using the
federated versions of the User and Group providers:
FilterUserDirectoryProvider
FilterGroupProvider
Pod acts as a UserDirectoryProvider and GroupProvider, using
it’s SAML attributes and their TTLs
Once the user is kitted out with a Sakai profile courtesy of the
GSK, they are free to wander around Sakai as normal, with their
Pod acting as their information provider
19. Guanxi One stop shibb shop
LUO
say that when you’re drunk!
eHx
eI
d
s
/portal-shibb
Service Provider
Guard Engine
IdP WAYF
All Shibboleth functionality in one place
Enabled/disabled by setting in sakai.properties
Shibb portal contains everything Sakai needs to work in a
Shibboleth federation
Does not require Apache, only a servlet container e.g. Tomcat
20. Guanxi GSK Architecture
LUO
eHx
Authenticate
eI
IdP
d
Attributes
s
Guard Engine
/portal-shibb
Remote user
PodUserDirectoryProvider PodGroupProvider
Browser redirects
Guanxi LDAPUserDirectoryProvider LDAPGroupProvider
Normal Sakai
FilterUserDirectoryProvider FilterGroupProvider
/portal worksite tools
Normal Sakai
User
21. Guanxi Embedded IdP
LUO
eHx
Attribute queries
/portal-shibb/AA
IdP
eI
Auth requests
d /portal-shibb/SSO
s
SakaiCookieHandler
SakaiAuthenticator
SakaiAttributor
mapper
SakaiAuthenticator delegates to Sakai authentication system
SakaiAttributor uses Sakai for user information
SakaiCookieHandler traps authentication requests
Only need to login once to access multiple SPs
IdP’s mapper changes Sakai attributes to any other attributes
22. Guanxi Embedded SP
LUO
eHx
Sakai #1
eI
d
/portal-shibb/gx User requests
s
Guard /portal-shibb/guard.*
Authn
Sakai #2 WAYF
Attributes
WAYF?
Authz
Engine /portal-shibb/engine.*
Fully self contained. Sakai has a Guard and Engine
Guard blocks requests to /portal-shibb/gx
Guard is a holding pen for users while they are authenticated by
their IdP, which could be another Sakai.
SAML Engine takes care of all Shibboleth and SAML functionality
23. Guanxi External SAML Engine
LUO
eHx
http://sakaiproject.org/samlengine
eI
d
s Guanxi
SAML Engine Normal Sakai
Guard Guard Guard Guard
Sakai Sakai Sakai Sakai
Rather than each Sakai instance having its own SAML Engine with
its maintenance and configuration overhead
Central SAML Engine, hosted by sakaiproject
Each Sakai Guard configured to talk to sakaiproject.org Engine
Sakai instances do not need to know about SAML or Shibboleth
24. Guanxi Pudding - indigestion
LUO
eHx
eI
d
s
The Guanxi Project overview
What does integration mean for an IdP?
The Guanxi Shibb Kit
Wrapping up
Questions
25. Guanxi In the pipeline
LUO
eHx
eI
d
s
Shibboleth tool to provide configuration GUI
Expose individual Sakai tools as Shibboleth Service Providers
Allow tools to specify which attributes they require for access
Enhance the Sakai providers to allow proper internal federation
Each UDP knows which users belong to it
No need to search the chain of providers
26. Guanxi Chucking out time
LUO
one more waffer theen meent, sir?
eHx
eI
d
s
Guanxi project website - http://www.guanxi.uhi.ac.uk/wiki
GSK documentation - http://www.guanxi.uhi.ac.uk/drguanxi/index.php/
Sakai_Guanxi_Shibb_Kit
The GSK is in contrib
Guanxi mailing list - guanxi-development@lists.sourceforge.net
Email - alistair@smo.uhi.ac.uk