Using Drupal, SAML, and Shibboleth to bring users to the cloudNate [email protected] / InCommon Federation / Shibboleth Consortium
Greg KnaddisonAcquia
30 November, 2011Acquia Webinar Series
Connecting to the Cloud
• Two necessary infrastructure components
• A great network connection
• Effective Identity Management
• Two necessary business components
• Software architected to integrate with you
• Excellent, professional service
2
A Brief History of Identity Management• Isolated Accounts
• Centralized User Databases
• LDAP, SQL
• Single Sign-On
• Kerberos, Various others like CAS, PKI?
• Federated Identity
• SAML, OpenID, OAuth, Shibboleth3
Federated Identity
• A generalization of older single sign-on systems
• No tight coupling between identity sources and applications or services
• No presumptions about trust or authority
4
Federated Identity
• Identity Providers (IdP) supply user information and authentication service
• Generally as a stand-alone service
• Service Providers (SP) process user information, protect, and supply applications with trusted data
• Generally integrated tightly into the web environment
5
Federated Identity Benefits
• Automated provisioning, but deprovisioning requires some thought
• Provides single sign-on for both local and cloud services
• Authoritative attributes provide applications with quality, trusted data
• Applications can be easily shared between many organizations
6
SAML v2.0• Security Assertion Markup Language
• A set of tokens and a set of protocols used to convey those tokens
• Tokens may be used independently of the protocols
• Standardized in March 2005
• Ongoing spec development for new features continues, but likely never a new, breaking version
8
SAML v2.0 Deployment
• Widespread Commercial Support
• Oracle, Microsoft, Novell, CA, PingIdentity, etc.
• Widespread SaaS Vendor Support
• Google, Microsoft, Salesforce, ADP, etc.
• Excellent free, open source solutions
• Shibboleth, simpleSAMLphp, OpenSSO, etc.
9
SAML 2.0 IdP Deployment
• Wide-spread deployment and dominant market share in a variety of verticals
• Education, finance, real estate, justice, defense, conglomerates
• Approximately 4,000 Research and Education Deployments
• ~100% coverage in some countries
• 10+ million vetted accounts
10
Shibboleth• Project since ~2001, code since ~2003
• Dominant market share in academia
• Thousands of deployments, millions of users
• Widely used in real estate, justice, and increasingly in financial and corporate verts
• Transitioning from Internet2 project to consortium & new org for sustainability
11
Shibboleth• Free, open-source software
• Small but global development team
• Modified Apache-style licensing; no BSD
• Architected for large-scale multi-lateral identity; easily used for bilateral collaborations too
• Focus on trusted attributes in addition to providing standard single sign-on
12
Technical Deep Dive Overview
• Geeking out for a moment – please forgive us…
• Identity Provider (IdP) implementation and deployment
• Service Provider (SP) implementation and deployment
13
Shibboleth IdP• Java webapp to be deployed into a
standard servlet container
• Apache Tomcat, JBoss, Jetty, etc.
• Future releases will be distributed with a bundled servlet container; existing packaging will still be available
14
Shibboleth IdP• Highly scalable with a variety of
clustering options
• Concurrent login attempts CPU-bound, concurrent sessions RAM-bound
• Scales easily to hundreds of thousands
• Designed to integrate with IdM systems, not replace them
• Authentication and attribute connectors available for common choices; extensible
15
Shibboleth SP• Written in C++
• In-process module loaded by webserver
• Apache(worker mode preferred) or ISAPI
• Out-of-process daemon
16
Shibboleth SP• No API
• Application integration at 3 points:
• Session Creation/Login (automatically enforced, or application triggered)
• Session Recall/Attributes (environment variables or header variables with IdP info, user attributes)
• Session Destruction/Logout
17
Shibboleth Trust• As promiscuous or as exclusive as
you would like
• Federations are communities of providers that act by the same rules, to reduce the handshake problem
• We don’t have much faith in commercial certificates
• Comes from experience
18
Drupal and Shibboleth• Drupal plugin developed by the
Hungarian Federation (NIIF)
• Relies on having the Shibboleth SP installed and configured
• We like this: avoids dangers of homemade security software, incorporates new Shibboleth features easily, no lock-in
19
Drupal and Shibboleth• Provides basic login and logout links
• Integrated with both Drupal and Shibboleth, making session management easier
• Maps SAML attributes to Drupal roles
• Since Shibboleth interoperates with many commercial SAML offerings, so too will “Shibbolized Drupal”
20
Shibboleth, SAML & Acquia Cloud
Example Drupal Deployments
• Two San Francisco based higher education institutions- Acquia Commons for faculty, staff, student collaboration- Second running 21 custom Drupal multi-sites
• Running in Acquia Managed Cloud• Running SP daemon• Load balanced with sticky sessions to support Shibboleth
- Could use SP on single web server or shared database storage- Using sticky sessions improve scalability/reliability
Example Drupal Deployments
• Benefits- Centralized auditing of logins- Provisioning efficiency, de-provisioning completeness
• Gotchas:- shibauth Drupal module always creates Drupal accounts
My Thanks to Acquia
http://www.internet2.edu/
http://www.incommon.org/
http://shibboleth.net/
24