Weitere ähnliche Inhalte Ăhnlich wie Lenya and Shibboleth (20) KĂźrzlich hochgeladen (20) Lenya and Shibboleth5. WithâŠstandards-basedâŠAAI
AAI
University of Zurich
Web Mail
Course Reg.
E-Learning
University of Berne
Research DB
Library
Student Admin.
Authentication Authorization
5 6. Benefits
⢠VirtualizedâŠID:âŠServiceâŠprovidersâŠcanâŠsaveâŠ
registrationâŠandâŠadministrationâŠefforts
⢠StandardizedâŠinterfaces:âŠServiceâŠprovidersâŠcanâŠeasilyâŠ
integrateâŠusersâŠofâŠotherâŠorganizations
⢠StandardizedâŠauthentication:âŠUsersâŠcanâŠaccessâŠ
variousâŠservicesâŠatâŠdifferentâŠorganizationsâŠwithâŠaâŠ
singleâŠpassword
6 9. SWITCHâŠAAIâŠAttributes
⢠swissEduPersonUniqueIDâŠ
⢠surnameâŠ
⢠givenNameâŠ
⢠swissEduPersonDateOfBirthâŠ
⢠swissEduPersonGenderâŠ
⢠preferredLanguageâŠ
⢠mail
⢠swissEduPersonHomeOrganizationâŠ
⢠swissEduPersonHomeOrganizationType
⢠...
9 11. Browser
SP
WAYF
IdP
Request
Accessing a Service
Redirect to
Protected
WAYF
Page
Show IdP
Selection
Select IdP
Redirect
to IdP
Login
Screen
Username,
Password
Authenti-
cation
Handle
Attribute
Request
Provide
Attributes
Attributes
Granted /
... Denied
11 13. AvailableâŠSoftware
⢠ShibbolethâŠProject:
⢠ApacheâŠmodulesâŠforâŠSPâŠandâŠIdP
⢠JavaâŠSPâŠimplementationâŠ(stalled)
⢠NewâŠJavaâŠSPâŠimplementationâŠinâŠprogress:
servletâŠfilterâŠwithinâŠservletâŠ2.4âŠspecification
⢠OLAT:
⢠CustomâŠSPâŠimpl.âŠbasedâŠonâŠoldâŠShibbolethâŠJavaâŠSP
⢠Lenya:
⢠UsesâŠ(slightlyâŠmodified)âŠOLATâŠcode
13 15. Browser
Main
Sitemap
WAYF
IdP
Authentication: Phase 1
Request
Protected
Login
Page
Screen
Click link
to WAYF
Show IdP
Selection
Select IdP
Redirect
to IdP
Login
Screen
Username,
Password
Authenti-
cation
Handle
15 16. Authentication:âŠPhaseâŠ2
Browser
Main
Sitemap
Shibboleth
Authenticator
Attr. Request
Service
IdP
Authenti-
cation
Authenticator
Parse SAML
Action
Send attr.
response
request
Provide
attributes
Parse SAML
Create response
transient
user object,
attach it to
the session
16 17. Authentication:âŠClasses
DelegatingAuthenticatorAction
act(...) : Map
<<interface>>
Authenticator
authenticate(Request)
<<interface>>
AttributeRequestService
requestAttributes(BPR) : Map
UserAuthenticator
authenticate(Request) <<interface>>
AttributeTranslator
translateSamlAttributes(Map) : Map
ShibbolethAuthenticator
authenticate(Request)
UserFieldsMapper
passAttributes(TransientUser, Map)
getFirstName()
getLastName()
...
17 21. AbstractGroup.contains()
public boolean contains(Groupable member) {
boolean contains = members.contains(member);
if (!contains && member instanceof User
&& getRule() != null) {
User user = (User) member;
AttributeRuleEvaluator evaluator
= getAttributeRuleEvaluator();
contains = evaluator.isComplied(user, getRule());
}
return contains;
}
21 22. UserâŠAttributes:âŠClasses
<<interface>>
<<interface>>
Group
Groupable
getMembers() : Groupable[]
*
getGroups() : Group[]
contains(Groupable)
<<interface>>
User AbstractGroup
getAttributeNames() : String contains(Groupable)
getAttributeValues(String) : String
<<interface>>
RuleEvaluator
AbstractUser
validate(String) : ValidationResult
setAttributeValues(String, String[]) isComplied(User, String) : boolean
JexlEvaluator AntlrEvaluator
22 24. JEXL
⢠AboutâŠJEXL
⢠JavaâŠExpressionâŠLanguage
⢠ApacheâŠJakartaâŠCommonsâŠproject
⢠InspiredâŠbyâŠVelocityâŠandâŠtheâŠJSTLâŠexpr.âŠlanguage
⢠Advantages
⢠VeryâŠeasyâŠtoâŠintegrateâŠ(onlyâŠaâŠcoupleâŠofâŠlines)
⢠NoâŠcustomâŠgrammarâŠnecessary
⢠Disadvantages
⢠NoâŠspecificâŠruleâŠsyntaxâŠcheck
⢠ItâsâŠdifficultâŠtoâŠidentifyâŠdangerousâŠcode
24 25. ANTLR
⢠AboutâŠANTLR
⢠AnotherâŠToolâŠforâŠLanguageâŠRecognition
⢠FrameworkâŠforâŠrecognizers,âŠinterpreters,âŠparsers,âŠ...
⢠basedâŠonâŠLL(k)âŠgrammars
⢠3-clauseâŠBSDâŠlicense
⢠Advantages
⢠CustomâŠgrammarâŠforâŠstrictâŠsyntaxâŠcheck
⢠NoâŠdangerousâŠcodeâŠaccepted
⢠Disadvantages
⢠MaintenanceâŠandâŠenhancementsâŠrequireâŠspecificâŠ
knowledge
⢠DefaultâŠerrorâŠmessagesâŠareâŠhardâŠtoâŠunderstand
25