session 3 - apan.netidentification is the assignation of a party to a defined group. it entails...
TRANSCRIPT
Session 3: Hands on Session: Access Management
Hands on session building on the base infrastructure adding and Identity Provider and Service Providers to the organization
1. Identity Domains
Digital identity services exist so that relationships can be mediated by
information systems. The requirements for managing digitally
mediated relationships have not changed since the first multi user
computer systems were developed. Whenever the parties to a
relationship are represented by information the following three
problems need to be solved:
1: How can one party in a relationship identify the other party?
2: How can parties continue their relationship over time?
3: How can parties in a relationship trust each other?
This presentation will provide and quick overview of the Identity
domain patterns that are commonly in use.
Identification is the assignation of a party to a defined group. It entails recognising to which group a party belongs, and which member of the group that party is.
Continuity is the consistency and coherence of information and behaviour over time and among different parties.
Trust is the confidence in the credibility of identity information a party needs to be able to proceed with an identity dependent transaction.
Terms
identity domainAn identity domain is any collection of systems that can recognise and remember identities using the same identifiers and identity attributes.
Identity systems fall into a number of relatively stable architectural patterns.
Identity Domain Patterns× Isolated× Centralised× Federated× User-Centric
Isolated Identity DomainIsolated identity domains are created when systems or service produce and manage identities with no reference to identities in other systems.
The main advantages of isolated domains are that they limit the effects of malevolent access and safeguard privacy.
× Linux /etc/passwd× Stand alone desktops× Specialized instrumentation
Centralised Identity DomainCentralised identity domains provide special-purpose systems that produce common services for use by a number of system.
Usually, a centralised identity domain is closely bound to an organisation’s network security infrastructure, and recognition and identification is limited to systems with shared access to a common security architecture entailing certificate servers, network host registries, directories and local authentication services.
Federated Identity DomainFederated identity domains uncouple identity provision from entitlement management (service provision).
During an access request an identity provider attests to the authenticity of the requesting identity. The service provider then decides the entitlements it will grant the identity holder - often based on additional information provided by the identity provider. In other words, federation is designed to extend the domain in which an identity can be recognised.
“User-Centric” Identity DomainsUser-centric identity domains give users greater control over their personal information.
Users are allowed to choose identity providers independently of service providers.
Identity providers act as trusted third parties to store user account and profile information and authenticate users, and service providers accept assertions or claims about users from identity providers.
ReferencesIdEAs, Identity. Entitlement. Access. Analytics. A framework for producing and managing digital identity services in Higher Education. Ric Phillips, Monash University.
2. Hands on session
With the basic building blocks in place we will turn our attention to
providing a simple access management layer to the organization.
Services could directly integrate with a base LDAP service but this can
have an adverse effect on the risk associated with the access layer
particularly for cloud based services.
● Current best practice has identified that the authentication process should be
separated away from services and be performed be a dedicated secure service
operated by the organization. This will ensure the a rogue service will never
have access to a user's credentials.
Setting up a Shibboleth
Identity Provider
× Use the AAF IdP Installer× Register the IdP× Consume Metadata× Basic testing× Review the setup
Overview
The AAF IdP Installer× Installs and configures the Shibboleth IdP× Uses Ansible (open source deployment and orchestration
tool)
× Repeatable, consistent, reduces errors, lowers maintenance
× Used by most AAF members running an IdP
Server
10.10.10.11 - apan-idp.aaftest.xyz
Download the bootstrap.sh scriptGo to https://ausaccessfed.github.io/shibboleth-idp-installer/ for full instructions.
curl https://raw.githubusercontent.com/ausaccessfed/shibboleth-idp-installer/master/bootstrap.sh > bootstrap.sh && chmod u+x bootstrap.sh
Edit BootstrapDocumentation within the script describers the values that are required.
Run the bootstrap.sh scriptAs root run the script.
On completion the IdP should be installed and running!
The bootstrap.sh script should only be run once!
Ensure it worked× The script completed!× Jetty is running
× ps ax | grep jetty
× Check the IdP logs× grep ERROR /var/log/shibboleth-idp/*.log
Change the EntityIDTo avoid conflicts change the entityID of your IdP.
Edit the file: /opt/shibboleth-idp-installer/repository/host_vars/apan-idp.aaftest.xyz
Modify the idp_entity_id value
Update the IdP
Run the update_idp.sh script
This will update the IdP configuration based on the setting in the repository.
Increase EntropySlow starts could be a result of low entropy. Virtual machines can suffer from thiscat /proc/sys/kernel/random/entropy_avail
Install haveged to resolve, enable and startyum install haveged
Systemctl enable haveged
Systemctl start haveged
Register the IdPAPAN Jagger: https://rr.aaftest.xyz/rr3
Get the Metadata× Update metadata_url and
federation_group_id in hosts file× Remove SignatureValidation in
metadata-providers.xml× Re run update_idp.sh
Explore the IdP
Setting up a Shibboleth
Service Provider
× Install and configure Shibboleth SP× Register SP× Test SP× Install and configure simple application
OVERVIEW
Server
10.10.10.14 - apan-sp.aaftest.xyz
Install Softwareyum install -y httpd mod_ssl wget
wget http://download.opensuse.org/repositories/security:/shibboleth/CentOS_7/security:shibboleth.repo -P /etc/yum.repos.d
yum install -y shibboleth
Configure Shibboleth SPEdit /etc/shibboleth/shibboleth2.xml× Change the SP’s entityID× Set the SSO entityID to your IdP’s entityID× Load metadata (no signature)
Start Service Provider× systemctl enable httpd× systemctl start httpd× systemctl enable shibd× systemctl start shibd
Checks/var/log/shibboleth/*
/var/cache/shibboleth/federation-metadata.xml
https://apan-sp.aaftest.xyz/secure
Register the SPAPAN Jagger: https://rr.aaftest.xyz/rr3
Force a Metadata readload on the IdP
Adding a SimpleApplication
Install PHP and GITyum install -y php git
Download the APP from Githubgit clone https://github.com/APAN-TF-IAM/Attribute-Mirror.git
cd Attribute-Mirror/src
mkdir /var/www/html/secure
cp -r * /var/www/html/secure
Attributes for the SPEdit shibboleth2.xml× attributePrefix="APAN-"
Edit attribute-map.xml× Uncomment attributes you require
× All of them for this SP
Restart and loginsystemctl restart httpd
systemctl restart shibd
http://apan-sp.aaftest.xyz/secure