Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud

Using Drupal, SAML, and Shibboleth to bring users to the cloudNate [email protected] / InCommon Federation / Shibboleth Consortium

Greg KnaddisonAcquia

30 November, 2011Acquia Webinar Series

Connecting to the Cloud

• Two necessary infrastructure components

• A great network connection

• Effective Identity Management

• Two necessary business components

• Software architected to integrate with you

• Excellent, professional service

2

A Brief History of Identity Management• Isolated Accounts

• Centralized User Databases

• LDAP, SQL

• Single Sign-On

• Kerberos, Various others like CAS, PKI?

• Federated Identity

• SAML, OpenID, OAuth, Shibboleth3

Federated Identity

• A generalization of older single sign-on systems

• No tight coupling between identity sources and applications or services

• No presumptions about trust or authority

4

Federated Identity

• Identity Providers (IdP) supply user information and authentication service

• Generally as a stand-alone service

• Service Providers (SP) process user information, protect, and supply applications with trusted data

• Generally integrated tightly into the web environment

5

Federated Identity Benefits

• Automated provisioning, but deprovisioning requires some thought

• Provides single sign-on for both local and cloud services

• Authoritative attributes provide applications with quality, trusted data

• Applications can be easily shared between many organizations

6

SAML v2.0• Security Assertion Markup Language

• A set of tokens and a set of protocols used to convey those tokens

• Tokens may be used independently of the protocols

• Standardized in March 2005

• Ongoing spec development for new features continues, but likely never a new, breaking version

8

SAML v2.0 Deployment

• Widespread Commercial Support

• Oracle, Microsoft, Novell, CA, PingIdentity, etc.

• Widespread SaaS Vendor Support

• Google, Microsoft, Salesforce, ADP, etc.

• Excellent free, open source solutions

• Shibboleth, simpleSAMLphp, OpenSSO, etc.

9

SAML 2.0 IdP Deployment

• Wide-spread deployment and dominant market share in a variety of verticals

• Education, finance, real estate, justice, defense, conglomerates

• Approximately 4,000 Research and Education Deployments

• ~100% coverage in some countries

• 10+ million vetted accounts

10

Shibboleth• Project since ~2001, code since ~2003

• Dominant market share in academia

• Thousands of deployments, millions of users

• Widely used in real estate, justice, and increasingly in financial and corporate verts

• Transitioning from Internet2 project to consortium & new org for sustainability

11

Shibboleth• Free, open-source software

• Small but global development team

• Modified Apache-style licensing; no BSD

• Architected for large-scale multi-lateral identity; easily used for bilateral collaborations too

• Focus on trusted attributes in addition to providing standard single sign-on

12

Technical Deep Dive Overview

• Geeking out for a moment – please forgive us…

• Identity Provider (IdP) implementation and deployment

• Service Provider (SP) implementation and deployment

13

Shibboleth IdP• Java webapp to be deployed into a

standard servlet container

• Apache Tomcat, JBoss, Jetty, etc.

• Future releases will be distributed with a bundled servlet container; existing packaging will still be available

14

Shibboleth IdP• Highly scalable with a variety of

clustering options

• Concurrent login attempts CPU-bound, concurrent sessions RAM-bound

• Scales easily to hundreds of thousands

• Designed to integrate with IdM systems, not replace them

• Authentication and attribute connectors available for common choices; extensible

15

Shibboleth SP• Written in C++

• In-process module loaded by webserver

• Apache(worker mode preferred) or ISAPI

• Out-of-process daemon

16

Shibboleth SP• No API

• Application integration at 3 points:

• Session Creation/Login (automatically enforced, or application triggered)

• Session Recall/Attributes (environment variables or header variables with IdP info, user attributes)

• Session Destruction/Logout

17

Shibboleth Trust• As promiscuous or as exclusive as

you would like

• Federations are communities of providers that act by the same rules, to reduce the handshake problem

• We don’t have much faith in commercial certificates

• Comes from experience

18

Drupal and Shibboleth• Drupal plugin developed by the

Hungarian Federation (NIIF)

• Relies on having the Shibboleth SP installed and configured

• We like this: avoids dangers of homemade security software, incorporates new Shibboleth features easily, no lock-in

19

Drupal and Shibboleth• Provides basic login and logout links

• Integrated with both Drupal and Shibboleth, making session management easier

• Maps SAML attributes to Drupal roles

• Since Shibboleth interoperates with many commercial SAML offerings, so too will “Shibbolized Drupal”

20

Shibboleth, SAML & Acquia Cloud

Example Drupal Deployments

• Two San Francisco based higher education institutions- Acquia Commons for faculty, staff, student collaboration- Second running 21 custom Drupal multi-sites

• Running in Acquia Managed Cloud• Running SP daemon• Load balanced with sticky sessions to support Shibboleth

- Could use SP on single web server or shared database storage- Using sticky sessions improve scalability/reliability

Example Drupal Deployments

• Benefits- Centralized auditing of logins- Provisioning efficiency, de-provisioning completeness

• Gotchas:- shibauth Drupal module always creates Drupal accounts

My Thanks to Acquia

[email protected]

http://www.internet2.edu/

http://www.incommon.org/

http://shibboleth.net/

24