Implementing FAM

1
Implementing FAM

• Coulsdon College

2
The Background

• Very Small Further Education College
• 1300 Students
• Accessing 8ish online resources

3
Why Federated Access Management ?

• An opportunity to bring Athens authentication
  under the curriculum IT
• COST
• Hardware minimal - a virtual server
• Time but we were going to have to do something
  radical anyway!
• Expertise We had it! and a netskills course
• Black box in the corner
• Amount of support and documentation
  available at least on linux.
• https//spaces.internet2.edu/display/SHIB/WebHome

4
The Setup

• Suse Linux Enterprise Server 10.1
• Tomcat 5.0
• Apache 2.2.3 (including mod_proxy_ajp)?
• Shibboleth (1.3.3)?

5
Next Steps ..

• Join UK Federation
• Setup SSL virtual host with standard self
  generated certificates or skip a stage and use
  the testshib certificates
• Setup LDAP authentication in apache
• Proxy Pass in apache config
• ProxyPass /shibboleth-idp/ ajp//localhost8009/sh
  ibboleth-idp/
• Open ports 443 and 8443 in the firewall.

6
Shibboleth

• Download Shibboleth
• Copy the endorsed directory to tomcats endorsed
  directory
• Run ant from the install directory and fill in
  the paths
• Restart Tomcat

7
IDP Configuration

• 3 files
• Idp.xml describes your idp
• Resolver.xml generates attributes
• Arp.site.xml Attribute Resolver Policy decides
  which to release.

8
IDP.XML
ltIdPConfig xmlns"urnmaceshibbolethidpconfig
1.0" xmlnscred"urnmaceshibbolethcredential
s1.0" xmlnsname"urnmaceshibbolethnamemappe
r1.0" xmlnsxsi"http//www.w3.org/2001/XMLSche
ma-instance" xsischemaLocation"urnmaceshibbo
lethidpconfig1.0 ../schemas/shibboleth-idpconfi
g-1.0.xsd" AAUrl"https//idp.coulsdon.ac.uk/shi
bboleth-idp/testshib/AA" resolverConfig"file/op
t/shibboleth-idp/etc/resolver.ldap.xml" defaultRe
lyingParty"urnmaceshibbolethtestshib"
providerId"https//idp.coulsdon.ac.uk/shibbolet
h/testshib/idp"
9
UK Federation Core Attributes

• Attributes are required by SPs for Authorisation
  decisions
• To facilitate interaction between IdPs and SPs,
  UK Federation has defined set of 4 Core
  Attributes (from eduPerson Schema)
• eduPersonScopedAffiliation student_at_coulsdon.ac.uk
  
• The users relationship with the organisation
• eduPersonTargetedID Pseudonym for
  personalisation
• Persistent user pseudonym, distinct for each
  Service Provider
• eduPersonPrincipalName username_at_coulsdon.ac.uk
• Persistent user identifier, consistent across
  different Service Providers. Not generally
  released.
• eduPersonEntitlement
• For asserting additional specific conditions that
  apply to a particular resource eg medical
  students

10
Resolver.xml

• ltAttributeResolver xmlnsxsi"http//www.w3.org/20
  01/XMLSchema-instance" xmlns"urnmaceshibboleth
  resolver1.0" xsischemaLocation"urnmaceshibbol
  ethresolver1.0 shibboleth-resolver-1.0.xsd"gt
• ltSimpleAttributeDefinition id"urnmacedirattrib
  ute-defemployeeType"gt
•   ltDataConnectorDependency requires"directory"
  /gt
•   lt/SimpleAttributeDefinitiongt

11
eduPersonPrincipalName

• ltSimpleAttributeDefinition id"urnmacedirattrib
  ute-defeduPersonPrincipalName" sourceName"cn"
  smartScope"coulsdon.ac.uk"gt
• ltDataConnectorDependency requires"directory"/gt
• lt/SimpleAttributeDefinitiongt

12
eduPersonTargetID

• ltPersistentIDAttributeDefinition
  id"urnmacedirattribute-defeduPersonTargetedID
  " scope"coulsdon.ac.uk" sourceName"eduPersonPrin
  cipalName"gt
• ltDataConnectorDependency requires"echo"/gt
  ltSaltgtXXXXXXXXXXXXXXXXXXXXXXXlt/Saltgt
• lt/PersistentIDAttributeDefinitiongt

13
eduPersonScopedAffiliation
First eduPersonAffiliation

• ltScriptletAttributeDefinition id"urnmacediratt
  ribute-defeduPersonAffiliation"gt
• ltDataConnectorDependency requires"directory"/gt
  
• ltScriptletgtlt!CDATA
• Attributes attributes dependencies.getConnector
  Resolution("directory")
• Attribute memberOf attributes.get("groupmembers
  hip")
• // add values from directory
• String value "none"
• boolean student false
• boolean staff false
• boolean member false
• for (int i 0 memberOf ! null i lt
  memberOf.size() i)?
• value memberOf.get(i)
• if (value.indexOf("FAM_STUD") gt 0) student
  true
• if (value.indexOf("FAM_STAFF") gt 0)staff
  true

14
eduPersonScopedAffiliation
First eduPersonAffiliation -continued

• if (student)
• resolverAttribute.addValue("student")
• if (staff)
• resolverAttribute.addValue("staff")
• if (student staff)
• resolverAttribute.addValue("affiliate")
• gt
• lt/Scriptletgt
• lt/ScriptletAttributeDefinitiongt

Then eduPersonScopedAffiliation
ltSimpleAttributeDefinition id"urnmacedirattrib
ute-defeduPersonScopedAffiliation"
smartScope"coulsdon.ac.uk"gt ltAttributeDependency
requires"urnmacedirattribute-defeduPersonAffi
liation"/gt lt/SimpleAttributeDefinitiongt
15
Attribute Release Policy

• ltAttribute name"urnmacedirattribute-defeduPer
  sonAffiliation"gt
•   ltAnyValue release"permit" /gt
•   lt/Attributegt
• - ltAttribute name"urnmacedirattribute-defeduP
  ersonScopedAffiliation"gt
•   ltAnyValue release"permit" /gt
•   lt/Attributegt

16
Testshib

• To test the initial implementation
• http//testshib.org/

17
Things I wish I'd known

• Time
• Log files
• Directory listing
• Resolvertest

export IDP_HOME/usr/local/shibboleth-idp
IDP_HOME/bin/resolvertest --usergridshib \
--responderhttps//idp.example.org/shibboleth \
--resolverxmlfile///user/local/shibboleth-idp/et
c/resolver.xml