1 july 2005© 2005 university of kent1 seamless integration of permis and shibboleth – development...

1 July 2005 © 2005 University of Kent 1

Seamless Integration of PERMIS and Shibboleth

– Development of a Flexible PERMIS Authorisation Module

for Shibboleth and Apache Server

Wensheng Xu, David Chadwick, Sassa Otenko

Computing Laboratory, University of Kent, Canterbury, UK


Outline What Shibboleth is proud of

Why Shibboleth need to be further improved

How we integrate Shibboleth and PERMIS

What we have achieved


Shibboleth An architecture to link resource web sites and

authentication systems (http://shibboleth.internet2.edu)

Based on PKI, multiple parties form a federation in Shibboleth

Can securely transfer attributes between home sites and resource sites (SAML 1.1)


Shibboleth

Authentication is the responsibility of the user's home site

Requests to authenticate the user will be routed back to the home site and take place there

Authorisation is the responsibility of the resource target site

Based on attributes supplied by the home site


Shibboleth


Shibboleth is proud of:

Web resources and Web services can be shared

Single sign-on is achieved

User privacy is well protected


Weaknesses in Shibboleth

-- Simple trust model in Shibboleth

The target site relies on the origin site to return the correct attributes

Plain attributes are relatively easy to be tampered with

Only one attribute authority is supported


Weaknesses in Shibboleth

-- Only basic access control capability

Access control rules are defined in the Apache configuration file

Complex access control rules (RBAC, Dynamic separation of duty, delegation of authority, combination of rules, etc.) are not supported

The Apache administrator has to manage the access control rules, the resource owner can’t directly specify the rules


PERMIS

A PMI software system: A privilege allocation (PA) component

A policy management GUI

A privilege verification (PV) component

A policy decision point (PDP)


PERMIS

Policy-based RBAC is supported Policy expressed in XML (compliance with

the OASIS XACML standard planned) Role Allocation Policy (RAP) Target Access Policy (TAP) Subject sub-policy Role hierarchy sub-policy Source of Authority sub-policy Target sub-policy Action sub-policy

Complex access control policies supported


PERMIS

Decisions are based on roles or attributes

Attributes are stored in X.509 attribute certificates

Supports multiple sources of authority


Shibboleth and PERMIS SAAMUser

User Home Site

Resource Target Site

SHIRE

WAYF

Handle Service

SHAR

AttributeAuthority

Attributes

and ACs

Authentication System

Attributesand ACs

ShibAuthz

JNI

conn

ecto

r

PV/PDP sub system

Policy LDAP

mod_permis PERMIS PV

PERMIS PDP

Policy management sub system

SoA

Policy management GUI

PERMIS RBAC policy

Retrieving ACs (pull mode)

AC LDAP

Privilege Allocator

PERMIS PA sub system

SoA

ACStorage Site

ACs (in push mode)

SoA

AC

s

Retrieving attributes andPERMIS PA sub system

Attribute certificate manager

Origin LDAP


Shibboleth and Apache authentication and authorisation

Apache

module 1

Apache

module 2

Apache

module 3

URI to

Filename

translation

phase

Authentication

identity check

phase

Authorisation

access check

phase

Module- specific

access check

phase

Response

phase

Handling

function A

Handling

function B

Handling

function E Handling

function D

Handling

function F

Handling

function C

Handling

function G

HTTP request

HTTP response


PERMIS SAAM in push mode with X.509 ACs

The origin site stores digitally signed attribute certificates in its LDAP repository

The target site is willing to trust different attribute authorities at the origin site

So the origin site can to distribute attribute assignments to different managers

ShibbolethOrigin

Domain

ShibbolethTargetDomainTransfer ACs

RAP/TAP


PERMIS SAAM in push mode with plain attributes

The target site trusts the origin’s attribute repository and the origin as a single AA

The origin can store plain attributes in its repository

--- standard Shibboleth

Shibboleth

Origin

Domain

Shibboleth

Target

DomainTransfer attributes

TAP


PERMIS SAAM in pull mode

The target trusts different attribute authorities elsewhere

PERMIS SAAM should work in pull mode to fetch the ACs itself

An example might be: an engineer is issued with a “certified MS engineer” by a Microsoft accredited agency

Various distributed LDAP repositories may sit in various places and should be accessible by the PERMIS PV component


PERMIS SAAM in pull mode

ShibbolethOrigin

Domain

ShibbolethTargetDomain

Transfer DN

RAP/TAP


PERMIS SAAM with Apache and without Shibboleth Resource Web Site

HTTP request mod_auth_ldap

User

User DN

mod_permis

PERMIS PA and Policy management sub system

JNI connector

PERMIS PV/PDP subsystem

SOA

PERMI S RBAC pol i cy

AC LDAP Policy LDAP

ACs Returned response

Authentication LDAP

GetCreds Decision

PERMIS PV

PERMIS PDP

Retrieving ACs (pull mode) RAP

TAP

Policy management GUI

Attribute certificate manager


User Privacy issues in PERMIS SAAM

When plain attributes are adopted Standard Shibboleth + PERMIS PDP

When ACs are adopted DN must be provided to target site to

match X.509 ACs But DN can be a pseudonym or a group

name


The PERMIS SAAM Apache Directives

Directives in the Apache configuration file: PermisPolicyIdentifier PermisPolicyIssuer PermisPolicyLocation PermisAuthorisation PermisPullMode (optional) PermisACLocation (optional)


Conclusions:

PERMIS SAAM can work fine with Shibboleth + Apache No Shibboleth source code needs to be modified More fine-grained access control can be

achieved More flexibility for resource managers

PERMIS SAAM can work fine with Apache server

Potentially PERMIS can work any authentication systems (providing user DN is released for ACs)


Thank you!

Question?

1 july 2005© 2005 university of kent1 seamless integration of permis and shibboleth – development...

Documents

university of kent3

university of kent6

home site slide

university of kent9

attributes attributes

shibboleth development

university of kent2

protected slide