aai for mandatory authentication and proxy usage to allow ... · tuduce (eth zurich): aai and proxy...
TRANSCRIPT
![Page 1: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/1.jpg)
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
1
AAI for mandatory authentication and proxy usage to allow internet access on public workstations of
ETH-Bibliothek
Wolfgang Lierz, ETH-Bibliothek, IT Services
Cristian Tuduce, ETH Zürich, ID-Basisdienste
![Page 2: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/2.jpg)
Outline
• The ETH proxy infrastructure
Cristian
• The ETH-Bibliothek solution
Wolfgang
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
2
![Page 3: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/3.jpg)
The web-proxy
From appliance to Squid:
• Appliance end-of-life
• Many appliances use variations of Squid
Authenticating:
• Users connecting from outside ETH
• Selected IP ranges from inside ETH
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
3
![Page 4: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/4.jpg)
Squid authentication problems
• RADIUS with basic authentication
• Clear-text channel between client and proxy
• Skinny authentication-helper interface
→Sniffing trivial
→Password guessing attacks
Solution: Squid with Shibboleth authentication!
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
4
![Page 5: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/5.jpg)
Why Shibboleth
• No passwords floating around insecure
• Password guessing cumbersome
• [put favorite reason here]
• Interesting problem!
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
5
![Page 6: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/6.jpg)
The challenge: different worlds
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
6
• Cookie-based
• Data pipe• No web server to receive cookies
![Page 7: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/7.jpg)
The proxy principle
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
7
![Page 8: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/8.jpg)
Before authentication
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
8
307: go authenticate (then #)!
#
![Page 9: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/9.jpg)
The authentication process
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
9
307: now go to URL #!
![Page 10: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/10.jpg)
After authentication
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
10
OK
![Page 11: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/11.jpg)
The building block
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
11
Squid w/ Shibboleth authentication
![Page 12: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/12.jpg)
AAI-enabling public workstationsof ETH-Bibliothek: requirements
• authentication itself is the service!
• AAI for customers outside SWITCHaai scope
• (time-limited) internet access via AAI-enabledproxy
• modifications on proxy.ethz.ch
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
12
![Page 13: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/13.jpg)
Authentication itself as service
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
13
![Page 14: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/14.jpg)
AAI for Swiss university members
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
14
![Page 15: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/15.jpg)
AAI for other library customers
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
15
![Page 16: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/16.jpg)
Modifications on SWITCH embedded WAYF
• wayf_force_remember_for_session = true;
• wayf_show_remember_checkbox = true;
• wayf_hide_categories = new
Array("library","vho","upcoming");
• wayf_hide_categories = new Array("all");
• wayf_unhide_idps = new Array("https://aai-
logon.vho-switchaai.ch/idp/shibboleth");
• wayf_return_url =
"https://publikum.library.ethz.ch/login/aai/pinlogin.php";
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
16
![Page 17: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/17.jpg)
AAI-enabled service: login+redirect
• https://publikum.library.ethz.ch/login/aai/pinlogin.php
• $hosts = $d->login_user();
• if($hosts) { header('Location:
http://publikum.library.ethz.ch/login/error.html?duplicate'); }
• else { if($d->get_remaining_time())
• header('Location: http://www.library.ethz.ch/');
• else
• header('Location:
http://publikum.library.ethz.ch/login/error.html?exceeded');}
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
17
![Page 18: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/18.jpg)
SWITCH VHO admin tool
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
18
![Page 19: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/19.jpg)
PINlogin database viewer
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
19
![Page 20: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/20.jpg)
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
20
// http://publikum.library.ethz.ch/proxy/publikum.pac
function FindProxyForURL(url, host) {
if (shExpMatch(url, "http*://publikum.library.ethz.ch/*")
|| shExpMatch(url, "https://tools.vho-switchaai.ch/*")
|| shExpMatch(url, "https://wayf.switch.ch/*"))
{return "DIRECT";}
if (shExpMatch(url, "https://aai-logon.*.ch/*")
|| shExpMatch(url, "https://aai-login.*.ch/*")
|| shExpMatch(url, "https://aai-idp.*.ch/*")
|| shExpMatch(url, "https://aai.*.ch/*")
|| shExpMatch(url, "https://idp.*.ch/*")
|| shExpMatch(url, "https://login2.*.ch/*"))
{return "DIRECT";}
if (shExpMatch(url, "http*://proxy.ethz.ch/*"))
{return "DIRECT";}
return "PROXY proxy.ethz.ch:3128"; }
![Page 21: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/21.jpg)
Modifications on proxy.ethz.ch
• forcing proxy usage in public workstationsubnets of ETH-Bibliothek
• allowing proxy usage from whole SWITCHaaicommunity
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
21
![Page 22: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/22.jpg)
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
22
Forcing proxy usage in library's public workstation subnets:
acl library-public-hg src 129.132.73.0/25
acl library-public-rz src 129.132.41.16/28
acl library-public-hix src 129.132.49.192/28
acl library-public-hpx src 129.132.49.208/28
acl library-public-nw src 129.132.49.224/28
acl library-public-cx src 129.132.166.32/27
url_rewrite_access allow library-public-hg
url_rewrite_access allow library-public-rz
url_rewrite_access allow library-public-hix
url_rewrite_access allow library-public-hpx
url_rewrite_access allow library-public-nw
url_rewrite_access allow library-public-cx
![Page 23: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/23.jpg)
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
23
Allowing proxy usage from whole SWITCHaai community
sub decide_proxy_access() {
my $ACCEPT_PROXY_ACCESS = 0;
if ($ENV{'REMOTE_ADDR'} eq "129.132.202.35") {
$ACCEPT_PROXY_ACCESS = 3;
return $ACCEPT_PROXY_ACCESS;
}
my $ip_match = match_ip($ENV{'REMOTE_ADDR'},
"129.132.73.0/25",
"129.132.41.16/28",
"129.132.49.192/28",
"129.132.49.208/28",
"129.132.49.224/28",
"129.132.166.32/27",
"129.132.238.45");
if ($ENV{'HTTP_SHIB_SWISSEP_HOMEORGANIZATION'} eq "ethz.ch") {
$ACCEPT_PROXY_ACCESS = 1;
return $ACCEPT_PROXY_ACCESS;
} else {
if ($ip_match) {
if ($ENV{'HTTP_SHIB_SWISSEP_HOMEORGANIZATIONTYPE'} =~
/^(university|uas|hospital|others|vho)$/) {
$ACCEPT_PROXY_ACCESS = 1;
return $ACCEPT_PROXY_ACCESS;
![Page 24: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/24.jpg)
Hiding AAI dialogues of proxy
• only implicit because authentication is alreadydone before
• no severe complaints from users gettingconfused when trying to overcome limitation
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
24
![Page 25: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/25.jpg)
Conclusion
• Robust solution running since 2011-02-07
• Only few modifications of central proxy serverneeded
• Only very small modification of WAYF needed
• Can be easily extended/migrated as soonother AAI Identity Providers for private librarycustomers are available
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
25
![Page 26: AAI for mandatory authentication and proxy usage to allow ... · Tuduce (ETH Zurich): AAI and proxy auth on public workstations 1 AAI for mandatory authentication and proxy usage](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e17906f3cbf3d025d2cdf1c/html5/thumbnails/26.jpg)
Questions ?
Live demo ?
AAI Operations Committee Meeting, Berne, 2011-05-24 W. Lierz / C. Tuduce (ETH Zurich): AAI and proxy auth on public workstations
26