SlideShare ist ein Scribd-Unternehmen logo

Shibboleth SSO & Drupal

Als PPTX, PDF herunterladen
J
Justin Ludwig
Technologie
1 von 30
Shibboleth SSO and Drupal Presented by Justin Ludwig (jludwig) at BADCAMP 2013 25 1st St., Suite 104, Cambridge, MA 02141 | www.BioRAFT.com
Who is Justin Ludwig? • Jludwig on drupal.org • Tech Virtuoso • Software Engineer @ BioRAFT • Drupal for about 6 years, when D5 was new. • Resides in South Bay w/beautiful wife and adorable fur-baby. • Musical family: lovers of Early Music, weird music of today and everything in between.
What is ? • “Preventing the next zombie apocalypse” • Entirely built using Drupal, SaaS model • Lab Safety, Compliance & Training Software • Comprehensive and efficient hazard tracking, compliance management, & training delivery • In use at top tier research institutions, and at top ten biotech & pharmaceutical companies
Shibboleth: A Brief History • A shibboleth (/ˈ ʃɪbəlɛθ/[1] or /ˈ ʃɪbələθ/)[2] is a word, sound, or custom that a person unfamiliar with its significance may not pronounce or perform correctly relative to those who are familiar with it. It is used to identify foreigners or those who do not belong to a particular class or group of people. It also refers to features of language, and particularly to a word or phrase whose pronunciation identifies a speaker as belonging to a particular group. • Gilead then cut Ephraim off from the fords of the Jordan, and whenever Ephraimite fugitives said, 'Let me cross,' the men of Gilead would ask, 'Are you an Ephraimite?' If he said, 'No,' they then said, 'Very well, say "Shibboleth" ( ).' If anyone said, "Sibboleth" ( ), because he could not pronounce it, then they would seize him and kill him by the fords of the Jordan. Forty-two thousand Ephraimites fell on this occasion. — Judges 12:5–6, NJB • During World War II, some United States soldiers in the Pacific theater used the word lollapalooza as a shibboleth to challenge unidentified persons, on the premise that Japanese people often pronounce the letter L as R or confuse Rs with Ls; the word is also an American colloquialism that even a foreign person fairly well-versed in American English would probably mispronounce or be unfamiliar with.
JK, Rowling
A peek into the future • What is single signon? • What is Shibboleth? How does it work? • SAML? IdP? SP? WTF? • Leveraging Drupal & Shib_Auth.module • Resources
What is Single Sign-On and WHY? • Single sign-on (SSO) allows a user to use a single username and password for multiple services. • Easier for the end user. • Easier integration for staff. • Better security (when used properly). • The biggest reason…
Your Client Needs It! • • • • Higher Education, they use it. Government, they use it. Big corporations, they use it. Non-Profits, they should be using it.
Your Client Needs It!
Just a little Jargon… • Security Assertion Markup Language (SAML): Fast, secure, robust XML-based open-standard for SSO. • Identity Provider (IdP): Authentication service; provide the user data. • Service Provider (SP): Hosts the application that users wish to access.
Why Shibboleth? • The most robust SAML implementation. • Tried and tested. • Easy to use. • Big community. • Open source. • Shib_Auth module.
How Shibboleth Works 1. User accesses protected resource.
How Shibboleth Works 2. The SP sends an authentication request to the IdP.
How Shibboleth Works 3. User authenticates to the IdP – Format of the request determined by config.
How Shibboleth Works 4. The IdP’s response is picked up at the ACS (Assertion Consumer Service) on the SP, which decodes it, does security checks, then creates a session for the user. Drupal then takes over.
POST Binding and Artifact Binding • POST Binding: IdP returns POST that contains SAML Assertion to SP. No direct communication between IdP & SP. • Artifact Binding: 1. IdP saves SAML Assertion to session and redirects user to SP w/Artifact in query string. 2. SP requests SAML Assertion for Artifact from IdP 3. IdP returns Assertion w/matching Artifact. 4. SP validates assertion
Install and Configure Shibboleth • Learn XML! • http://www.w3schools.com/xml/ • Other Prerequisites • • • • Root access to the machine. Network Time Protocol (NTP) Basic understanding of SSL Basic understanding of server configuration
Install and Configure Shibboleth Follow an installation guide. ;) • https://wiki.shibboleth.net/c onfluence/display/SHIB2/Inst allation • If not using an officially supported distro, check package management repo. • As always, Google is your friend.
A Little Configuration Jargon… • EntityID: String used to identify your application across federation interactions. • Metadata: What makes SAML work. • Attributes: Info provided by the IdP. Configured in attribute-map.xml
Federations: No, you don’t need to wear the jumpsuit • A group of IdPs and SPs that agree on a set of policies. • Not 100% necessary, but greatly simplifies integration w/other federation members, management decisions, etc.
Config Files Overview • /etc/shibboleth: Base directory for Shib config • shibboleth2.xml: Most of the SP’s config opts. • attribute-map.xml: Used to translate attributes from SAML assertions. • Metadata: SP and IdP/Federaltion exchange metadata and this makes SAML work. • Usually generated to /Shibboleth.sso/Metadata. • A good base; invest in understanding contents.
Leveraging Drupal Shibboleth authentication module • https://drupal.org/project/shib_auth • Big ‘Thank you’ to shafter, bajnokk, dorion, niff, and everyone else involved in the project. • 14,955 downloads, thousands report using it. • 4.x Branch for Drupal 6 and Drupal 7. – Backported to D5 if anyone needs it.
What shib_auth gives you • Automatic user creation and user login.
What shib_auth gives you • Automatic role assignment.
What shib_auth gives you • Account linking
What shib_auth gives you • Logout Handling
Advanced Features in Shib_Auth • • • • • User-defined usernames/e-mails Auto-Login Pre-creating Users User Consent Forms forceAuthn
Resources • https://wiki.shibboleth.net/confluence/dashb oard.action • https://drupal.org/project/shib_auth • https://www.testshib.org/index.html • http://saml.xml.org/saml-specifications • https://wiki.shibboleth.net/confluence/displa y/SHIB2/SecurityAdvisories • http://shibboleth.net/community/lists.html
A look to the past • What is single signon? • What is Shibboleth? How does it work? • SAML? IdP? SP? WTF? • Leveraging Drupal & Shib_Auth.module • Resources
Questions, comments, etc

Empfohlen

Robert C. Glover, Jr. Portfolio
Robert C. Glover, Jr. PortfolioRobert C. Glover, Jr. Portfolio
Robert C. Glover, Jr. Portfoliorglover
 
Shibboleth 2.0 IdP slides - Installfest (Edited)
Shibboleth 2.0 IdP slides - Installfest (Edited)Shibboleth 2.0 IdP slides - Installfest (Edited)
Shibboleth 2.0 IdP slides - Installfest (Edited)JISC.AM
 
Workshop 04 android-development
Workshop 04 android-developmentWorkshop 04 android-development
Workshop 04 android-developmentAravindharamanan S
 
Agile Data: Building Hadoop Analytics Applications
Agile Data: Building Hadoop Analytics ApplicationsAgile Data: Building Hadoop Analytics Applications
Agile Data: Building Hadoop Analytics ApplicationsDataWorks Summit
 
Drewry universal identifiers throughout production chain, overview and intero...
Drewry universal identifiers throughout production chain, overview and intero...Drewry universal identifiers throughout production chain, overview and intero...
Drewry universal identifiers throughout production chain, overview and intero...FIAT/IFTA
 
Risk management and auditing
Risk management and auditingRisk management and auditing
Risk management and auditingDorothea Salo
 
Elasticsearch@ALM
Elasticsearch@ALMElasticsearch@ALM
Elasticsearch@ALMEyal Dahari
 
Agile Data Science: Hadoop Analytics Applications
Agile Data Science: Hadoop Analytics ApplicationsAgile Data Science: Hadoop Analytics Applications
Agile Data Science: Hadoop Analytics ApplicationsRussell Jurney
 

Empfohlen

Robert C. Glover, Jr. Portfolio
Robert C. Glover, Jr. PortfolioRobert C. Glover, Jr. Portfolio
Robert C. Glover, Jr. Portfoliorglover
 
Shibboleth 2.0 IdP slides - Installfest (Edited)
Shibboleth 2.0 IdP slides - Installfest (Edited)Shibboleth 2.0 IdP slides - Installfest (Edited)
Shibboleth 2.0 IdP slides - Installfest (Edited)JISC.AM
 
Workshop 04 android-development
Workshop 04 android-developmentWorkshop 04 android-development
Workshop 04 android-developmentAravindharamanan S
 
Agile Data: Building Hadoop Analytics Applications
Agile Data: Building Hadoop Analytics ApplicationsAgile Data: Building Hadoop Analytics Applications
Agile Data: Building Hadoop Analytics ApplicationsDataWorks Summit
 
Drewry universal identifiers throughout production chain, overview and intero...
Drewry universal identifiers throughout production chain, overview and intero...Drewry universal identifiers throughout production chain, overview and intero...
Drewry universal identifiers throughout production chain, overview and intero...FIAT/IFTA
 
Risk management and auditing
Risk management and auditingRisk management and auditing
Risk management and auditingDorothea Salo
 
Elasticsearch@ALM
Elasticsearch@ALMElasticsearch@ALM
Elasticsearch@ALMEyal Dahari
 
Agile Data Science: Hadoop Analytics Applications
Agile Data Science: Hadoop Analytics ApplicationsAgile Data Science: Hadoop Analytics Applications
Agile Data Science: Hadoop Analytics ApplicationsRussell Jurney
 
Searching and Querying Knowledge Graphs with Solr/SIREn - A Reference Archite...
Searching and Querying Knowledge Graphs with Solr/SIREn - A Reference Archite...Searching and Querying Knowledge Graphs with Solr/SIREn - A Reference Archite...
Searching and Querying Knowledge Graphs with Solr/SIREn - A Reference Archite...Lucidworks
 
Social dev camp_2011
Social dev camp_2011Social dev camp_2011
Social dev camp_2011Craig Ulliott
 
Predicting the Present
Predicting the PresentPredicting the Present
Predicting the Presentbcantrill
 
Genetic Malware
Genetic MalwareGenetic Malware
Genetic MalwareLauren Sheppard
 
Genetic Malware
Genetic MalwareGenetic Malware
Genetic MalwareOkta
 
Where’s Wally? How to Privately Discover your Friends on the Internet
Where’s Wally? How to Privately Discover your Friends on the InternetWhere’s Wally? How to Privately Discover your Friends on the Internet
Where’s Wally? How to Privately Discover your Friends on the InternetPanagiotis Papadopoulos
 
Agile Data Science by Russell Jurney_ The Hive_Janruary 29 2014
Agile Data Science by Russell Jurney_ The Hive_Janruary 29 2014Agile Data Science by Russell Jurney_ The Hive_Janruary 29 2014
Agile Data Science by Russell Jurney_ The Hive_Janruary 29 2014The Hive
 
Lipstick on a Pig: Integrated Library Systems
Lipstick on a Pig: Integrated Library SystemsLipstick on a Pig: Integrated Library Systems
Lipstick on a Pig: Integrated Library SystemsDorothea Salo
 
Agile Data Science: Building Hadoop Analytics Applications
Agile Data Science: Building Hadoop Analytics ApplicationsAgile Data Science: Building Hadoop Analytics Applications
Agile Data Science: Building Hadoop Analytics ApplicationsRussell Jurney
 
Into the Land of lambda, One Programmer's Journey Into Functional Programming
Into the Land of lambda, One Programmer's Journey Into Functional ProgrammingInto the Land of lambda, One Programmer's Journey Into Functional Programming
Into the Land of lambda, One Programmer's Journey Into Functional ProgrammingMike Pence
 
Lean at Hubspot
Lean at HubspotLean at Hubspot
Lean at HubspotMatthew Mamet
 
Patterns of blended information behaviour in Second Life
Patterns of blended information behaviour in Second LifePatterns of blended information behaviour in Second Life
Patterns of blended information behaviour in Second LifeSheila Webber
 
OWASP Poland Day 2018 - Artur Balsam - Continuous Security
OWASP Poland Day 2018 - Artur Balsam - Continuous SecurityOWASP Poland Day 2018 - Artur Balsam - Continuous Security
OWASP Poland Day 2018 - Artur Balsam - Continuous SecurityOWASP
 
Dama - Protecting Sensitive Data on a Database
Dama - Protecting Sensitive Data on a DatabaseDama - Protecting Sensitive Data on a Database
Dama - Protecting Sensitive Data on a Databasejohanswart1234
 
UXSG2014 Lightning Talks - Selfish accessibility (Adrian Roselli)
UXSG2014 Lightning Talks - Selfish accessibility (Adrian Roselli)UXSG2014 Lightning Talks - Selfish accessibility (Adrian Roselli)
UXSG2014 Lightning Talks - Selfish accessibility (Adrian Roselli)ux singapore
 
Scylla Summit 2022: Predicting the Past
Scylla Summit 2022: Predicting the PastScylla Summit 2022: Predicting the Past
Scylla Summit 2022: Predicting the PastScyllaDB
 
Fun with Application Security
Fun with Application SecurityFun with Application Security
Fun with Application SecurityBruce Abernethy
 
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4j
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4jRobotics, Search and AI with Solr, MyRobotLab, and Deeplearning4j
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4jKevin Watters
 
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...Lucidworks
 
opening new doors: recent initiatives in open data at National Library of Sco...
opening new doors: recent initiatives in open data at National Library of Sco...opening new doors: recent initiatives in open data at National Library of Sco...
opening new doors: recent initiatives in open data at National Library of Sco...Gill Hamilton
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

Weitere ähnliche Inhalte

Ähnlich wie Shibboleth SSO & Drupal

Searching and Querying Knowledge Graphs with Solr/SIREn - A Reference Archite...
Searching and Querying Knowledge Graphs with Solr/SIREn - A Reference Archite...Searching and Querying Knowledge Graphs with Solr/SIREn - A Reference Archite...
Searching and Querying Knowledge Graphs with Solr/SIREn - A Reference Archite...Lucidworks
 
Social dev camp_2011
Social dev camp_2011Social dev camp_2011
Social dev camp_2011Craig Ulliott
 
Predicting the Present
Predicting the PresentPredicting the Present
Predicting the Presentbcantrill
 
Genetic Malware
Genetic MalwareGenetic Malware
Genetic MalwareOkta
 
Where’s Wally? How to Privately Discover your Friends on the Internet
Where’s Wally? How to Privately Discover your Friends on the InternetWhere’s Wally? How to Privately Discover your Friends on the Internet
Where’s Wally? How to Privately Discover your Friends on the InternetPanagiotis Papadopoulos
 
Agile Data Science by Russell Jurney_ The Hive_Janruary 29 2014
Agile Data Science by Russell Jurney_ The Hive_Janruary 29 2014Agile Data Science by Russell Jurney_ The Hive_Janruary 29 2014
Agile Data Science by Russell Jurney_ The Hive_Janruary 29 2014The Hive
 
Lipstick on a Pig: Integrated Library Systems
Lipstick on a Pig: Integrated Library SystemsLipstick on a Pig: Integrated Library Systems
Lipstick on a Pig: Integrated Library SystemsDorothea Salo
 
Agile Data Science: Building Hadoop Analytics Applications
Agile Data Science: Building Hadoop Analytics ApplicationsAgile Data Science: Building Hadoop Analytics Applications
Agile Data Science: Building Hadoop Analytics ApplicationsRussell Jurney
 
Into the Land of lambda, One Programmer's Journey Into Functional Programming
Into the Land of lambda, One Programmer's Journey Into Functional ProgrammingInto the Land of lambda, One Programmer's Journey Into Functional Programming
Into the Land of lambda, One Programmer's Journey Into Functional ProgrammingMike Pence
 
Patterns of blended information behaviour in Second Life
Patterns of blended information behaviour in Second LifePatterns of blended information behaviour in Second Life
Patterns of blended information behaviour in Second LifeSheila Webber
 
OWASP Poland Day 2018 - Artur Balsam - Continuous Security
OWASP Poland Day 2018 - Artur Balsam - Continuous SecurityOWASP Poland Day 2018 - Artur Balsam - Continuous Security
OWASP Poland Day 2018 - Artur Balsam - Continuous SecurityOWASP
 
Dama - Protecting Sensitive Data on a Database
Dama - Protecting Sensitive Data on a DatabaseDama - Protecting Sensitive Data on a Database
Dama - Protecting Sensitive Data on a Databasejohanswart1234
 
UXSG2014 Lightning Talks - Selfish accessibility (Adrian Roselli)
UXSG2014 Lightning Talks - Selfish accessibility (Adrian Roselli)UXSG2014 Lightning Talks - Selfish accessibility (Adrian Roselli)
UXSG2014 Lightning Talks - Selfish accessibility (Adrian Roselli)ux singapore
 
Scylla Summit 2022: Predicting the Past
Scylla Summit 2022: Predicting the PastScylla Summit 2022: Predicting the Past
Scylla Summit 2022: Predicting the PastScyllaDB
 
Fun with Application Security
Fun with Application SecurityFun with Application Security
Fun with Application SecurityBruce Abernethy
 
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4j
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4jRobotics, Search and AI with Solr, MyRobotLab, and Deeplearning4j
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4jKevin Watters
 
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...Lucidworks
 
opening new doors: recent initiatives in open data at National Library of Sco...
opening new doors: recent initiatives in open data at National Library of Sco...opening new doors: recent initiatives in open data at National Library of Sco...
opening new doors: recent initiatives in open data at National Library of Sco...Gill Hamilton
 

Ähnlich wie Shibboleth SSO & Drupal (20)

Searching and Querying Knowledge Graphs with Solr/SIREn - A Reference Archite...
Searching and Querying Knowledge Graphs with Solr/SIREn - A Reference Archite...Searching and Querying Knowledge Graphs with Solr/SIREn - A Reference Archite...
Searching and Querying Knowledge Graphs with Solr/SIREn - A Reference Archite...
 
Social dev camp_2011
Social dev camp_2011Social dev camp_2011
Social dev camp_2011
 
Predicting the Present
Predicting the PresentPredicting the Present
Predicting the Present
 
Genetic Malware
Genetic MalwareGenetic Malware
Genetic Malware
 
Genetic Malware
Genetic MalwareGenetic Malware
Genetic Malware
 
Where’s Wally? How to Privately Discover your Friends on the Internet
Where’s Wally? How to Privately Discover your Friends on the InternetWhere’s Wally? How to Privately Discover your Friends on the Internet
Where’s Wally? How to Privately Discover your Friends on the Internet
 
Agile Data Science by Russell Jurney_ The Hive_Janruary 29 2014
Agile Data Science by Russell Jurney_ The Hive_Janruary 29 2014Agile Data Science by Russell Jurney_ The Hive_Janruary 29 2014
Agile Data Science by Russell Jurney_ The Hive_Janruary 29 2014
 
Lipstick on a Pig: Integrated Library Systems
Lipstick on a Pig: Integrated Library SystemsLipstick on a Pig: Integrated Library Systems
Lipstick on a Pig: Integrated Library Systems
 
Agile Data Science: Building Hadoop Analytics Applications
Agile Data Science: Building Hadoop Analytics ApplicationsAgile Data Science: Building Hadoop Analytics Applications
Agile Data Science: Building Hadoop Analytics Applications
 
Into the Land of lambda, One Programmer's Journey Into Functional Programming
Into the Land of lambda, One Programmer's Journey Into Functional ProgrammingInto the Land of lambda, One Programmer's Journey Into Functional Programming
Into the Land of lambda, One Programmer's Journey Into Functional Programming
 
Lean at Hubspot
Lean at HubspotLean at Hubspot
Lean at Hubspot
 
Patterns of blended information behaviour in Second Life
Patterns of blended information behaviour in Second LifePatterns of blended information behaviour in Second Life
Patterns of blended information behaviour in Second Life
 
OWASP Poland Day 2018 - Artur Balsam - Continuous Security
OWASP Poland Day 2018 - Artur Balsam - Continuous SecurityOWASP Poland Day 2018 - Artur Balsam - Continuous Security
OWASP Poland Day 2018 - Artur Balsam - Continuous Security
 
Dama - Protecting Sensitive Data on a Database
Dama - Protecting Sensitive Data on a DatabaseDama - Protecting Sensitive Data on a Database
Dama - Protecting Sensitive Data on a Database
 
UXSG2014 Lightning Talks - Selfish accessibility (Adrian Roselli)
UXSG2014 Lightning Talks - Selfish accessibility (Adrian Roselli)UXSG2014 Lightning Talks - Selfish accessibility (Adrian Roselli)
UXSG2014 Lightning Talks - Selfish accessibility (Adrian Roselli)
 
Scylla Summit 2022: Predicting the Past
Scylla Summit 2022: Predicting the PastScylla Summit 2022: Predicting the Past
Scylla Summit 2022: Predicting the Past
 
Fun with Application Security
Fun with Application SecurityFun with Application Security
Fun with Application Security
 
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4j
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4jRobotics, Search and AI with Solr, MyRobotLab, and Deeplearning4j
Robotics, Search and AI with Solr, MyRobotLab, and Deeplearning4j
 
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...
The Intersection of Robotics, Search and AI with Solr, MyRobotLab, and Deep L...
 
opening new doors: recent initiatives in open data at National Library of Sco...
opening new doors: recent initiatives in open data at National Library of Sco...opening new doors: recent initiatives in open data at National Library of Sco...
opening new doors: recent initiatives in open data at National Library of Sco...
 

Kürzlich hochgeladen

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Shibboleth SSO & Drupal

  • 1. Shibboleth SSO and Drupal Presented by Justin Ludwig (jludwig) at BADCAMP 2013 25 1st St., Suite 104, Cambridge, MA 02141 | www.BioRAFT.com
  • 2. Who is Justin Ludwig? • Jludwig on drupal.org • Tech Virtuoso • Software Engineer @ BioRAFT • Drupal for about 6 years, when D5 was new. • Resides in South Bay w/beautiful wife and adorable fur-baby. • Musical family: lovers of Early Music, weird music of today and everything in between.
  • 3. What is ? • “Preventing the next zombie apocalypse” • Entirely built using Drupal, SaaS model • Lab Safety, Compliance & Training Software • Comprehensive and efficient hazard tracking, compliance management, & training delivery • In use at top tier research institutions, and at top ten biotech & pharmaceutical companies
  • 4. Shibboleth: A Brief History • A shibboleth (/ˈ ʃɪbəlɛθ/[1] or /ˈ ʃɪbələθ/)[2] is a word, sound, or custom that a person unfamiliar with its significance may not pronounce or perform correctly relative to those who are familiar with it. It is used to identify foreigners or those who do not belong to a particular class or group of people. It also refers to features of language, and particularly to a word or phrase whose pronunciation identifies a speaker as belonging to a particular group. • Gilead then cut Ephraim off from the fords of the Jordan, and whenever Ephraimite fugitives said, 'Let me cross,' the men of Gilead would ask, 'Are you an Ephraimite?' If he said, 'No,' they then said, 'Very well, say "Shibboleth" ( ).' If anyone said, "Sibboleth" ( ), because he could not pronounce it, then they would seize him and kill him by the fords of the Jordan. Forty-two thousand Ephraimites fell on this occasion. — Judges 12:5–6, NJB • During World War II, some United States soldiers in the Pacific theater used the word lollapalooza as a shibboleth to challenge unidentified persons, on the premise that Japanese people often pronounce the letter L as R or confuse Rs with Ls; the word is also an American colloquialism that even a foreign person fairly well-versed in American English would probably mispronounce or be unfamiliar with.
  • 6. A peek into the future • What is single signon? • What is Shibboleth? How does it work? • SAML? IdP? SP? WTF? • Leveraging Drupal & Shib_Auth.module • Resources
  • 7. What is Single Sign-On and WHY? • Single sign-on (SSO) allows a user to use a single username and password for multiple services. • Easier for the end user. • Easier integration for staff. • Better security (when used properly). • The biggest reason…
  • 8. Your Client Needs It! • • • • Higher Education, they use it. Government, they use it. Big corporations, they use it. Non-Profits, they should be using it.
  • 10. Just a little Jargon… • Security Assertion Markup Language (SAML): Fast, secure, robust XML-based open-standard for SSO. • Identity Provider (IdP): Authentication service; provide the user data. • Service Provider (SP): Hosts the application that users wish to access.
  • 11. Why Shibboleth? • The most robust SAML implementation. • Tried and tested. • Easy to use. • Big community. • Open source. • Shib_Auth module.
  • 12. How Shibboleth Works 1. User accesses protected resource.
  • 13. How Shibboleth Works 2. The SP sends an authentication request to the IdP.
  • 14. How Shibboleth Works 3. User authenticates to the IdP – Format of the request determined by config.
  • 15. How Shibboleth Works 4. The IdP’s response is picked up at the ACS (Assertion Consumer Service) on the SP, which decodes it, does security checks, then creates a session for the user. Drupal then takes over.
  • 16. POST Binding and Artifact Binding • POST Binding: IdP returns POST that contains SAML Assertion to SP. No direct communication between IdP & SP. • Artifact Binding: 1. IdP saves SAML Assertion to session and redirects user to SP w/Artifact in query string. 2. SP requests SAML Assertion for Artifact from IdP 3. IdP returns Assertion w/matching Artifact. 4. SP validates assertion
  • 17. Install and Configure Shibboleth • Learn XML! • http://www.w3schools.com/xml/ • Other Prerequisites • • • • Root access to the machine. Network Time Protocol (NTP) Basic understanding of SSL Basic understanding of server configuration
  • 18. Install and Configure Shibboleth Follow an installation guide. ;) • https://wiki.shibboleth.net/c onfluence/display/SHIB2/Inst allation • If not using an officially supported distro, check package management repo. • As always, Google is your friend.
  • 19. A Little Configuration Jargon… • EntityID: String used to identify your application across federation interactions. • Metadata: What makes SAML work. • Attributes: Info provided by the IdP. Configured in attribute-map.xml
  • 20. Federations: No, you don’t need to wear the jumpsuit • A group of IdPs and SPs that agree on a set of policies. • Not 100% necessary, but greatly simplifies integration w/other federation members, management decisions, etc.
  • 21. Config Files Overview • /etc/shibboleth: Base directory for Shib config • shibboleth2.xml: Most of the SP’s config opts. • attribute-map.xml: Used to translate attributes from SAML assertions. • Metadata: SP and IdP/Federaltion exchange metadata and this makes SAML work. • Usually generated to /Shibboleth.sso/Metadata. • A good base; invest in understanding contents.
  • 22. Leveraging Drupal Shibboleth authentication module • https://drupal.org/project/shib_auth • Big ‘Thank you’ to shafter, bajnokk, dorion, niff, and everyone else involved in the project. • 14,955 downloads, thousands report using it. • 4.x Branch for Drupal 6 and Drupal 7. – Backported to D5 if anyone needs it.
  • 23. What shib_auth gives you • Automatic user creation and user login.
  • 24. What shib_auth gives you • Automatic role assignment.
  • 25. What shib_auth gives you • Account linking
  • 26. What shib_auth gives you • Logout Handling
  • 27. Advanced Features in Shib_Auth • • • • • User-defined usernames/e-mails Auto-Login Pre-creating Users User Consent Forms forceAuthn
  • 28. Resources • https://wiki.shibboleth.net/confluence/dashb oard.action • https://drupal.org/project/shib_auth • https://www.testshib.org/index.html • http://saml.xml.org/saml-specifications • https://wiki.shibboleth.net/confluence/displa y/SHIB2/SecurityAdvisories • http://shibboleth.net/community/lists.html
  • 29. A look to the past • What is single signon? • What is Shibboleth? How does it work? • SAML? IdP? SP? WTF? • Leveraging Drupal & Shib_Auth.module • Resources