Sunday, December 2, 2012

SSO Shibolleth

Shibolleth is a popular open source single signed on (SSO) framework. Using SSO, we avoid too many password accounts for different applications that will increase the phishing risk, ear drop risk and revocation problem (you need to cancel/change all the password accounts in all applications).

Other features of Shibolleth:
  • federated e.g. you can use a national-wide IdP such as SURFnet in the Netherlands and then SURFnet will communicate with your local (university) IdP to authenticate you.
  • the application (via SP) can obtain user metadata (e.g. employeeID, email) from IdP
  • SP & IdP are communicated using standard SAML format

Shibolleth consists of 2 parts: the Service Provider (SP) an Apache-module that resides next to your web application in the Apache web server and the Identity Provider (IdP) server that authenticates  the user based on authentication source e.g. LDAP, database, password files, SAML security provider (e.g. Aselect), OAuth security provider such as Google, etc. The SP consists of shibd daemon and shib apache module.

The flow of Shibolleth is as follows:

1. The user browse a web application. In the apache config, this web application is declared as protected using Shibolleth.
2. The user will be redirect to the IdP for authentication. The IdP will use an authentication source (e.g. LDAP) to authenticate the user.
3. The IdP  will send the security assertion to the SP (via client session cookie).
4. The SP can obtain user metadata (e.g. employeeID, email) from the IdP.
5. The SP grants access to the application

SSO for webservices

An interesting idea about using SSO Shibolleth for web service:
Since Oracle OSB has functionality to access http header, so it's possible to use Shibolleth SSO in OSB web services proxies.


Exercise SP install & config  to connect to Dutch SURFnet IdP using Shibolleth:

Shibolleth security checklist:

Want to establish your own IdP? SimpleSAML is one of the easy framework:

Source: Steve's blogs

Any comments are welcome :)

No comments: