ShibbolethSPApplicationModel
Versión 1 (Emilio Penna, Martes, 5 de Enero de 2016 12:58:35 -0300)
1 | 1 | h1. ShibbolethSPApplicationModel |
|
---|---|---|---|
2 | 1 | ||
3 | 1 | ||
4 | 1 | h2. Introduccion: |
|
5 | 1 | ||
6 | 1 | Referencia principal: |
|
7 | 1 | https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationModel |
|
8 | 1 | ||
9 | 1 | The most confusing aspect of the SP software for beginners, aside from all the SAML and federation concepts, is how the software relates to the applications and resources it's being used to protect. Early use tends to lead to a lot of common questions: |
|
10 | 1 | ||
11 | 1 | * Why do I need to install the software on every web server? (Answer "here":https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPOneMany) |
|
12 | 1 | * Can I protect multiple "applications" at the same time? |
|
13 | 1 | * What if I'm just hosting a few static web pages? |
|
14 | 1 | * Can I use multiple virtual hosts? Do I *have* to use separate virtual hosts? |
|
15 | 1 | * What if my application is running across multiple physical servers? |
|
16 | 1 | ||
17 | 1 | ||
18 | 1 | h2. Application model at a logical level: |
|
19 | 1 | ||
20 | 1 | An "application" is a collection of resources that are grouped together in the SP configuration and behave as a unit with respect to the functions the SP performs, including session management. |
|
21 | 1 | ||
22 | 1 | ||
23 | 1 | Illustrating concepts: |
|
24 | 1 | ||
25 | 1 | !shibb-sp-app-model.png! |
|
26 | 1 | ||
27 | 1 | h2. ¿Porqué una nueva aplicación? |
|
28 | 1 | ||
29 | 1 | So to put this concretely, if you have a server hosting two directories called "foo" and "bar", then the only way you can get an IdP to treat a request for authentication to "foo" and "bar" differently is to make the two directories logically distinct SPs, each with its own unique entityID. By "differently", we might mean releasing different SAML attributes to each one, or presenting a distinct login page in each case, or even refusing to respond at all. |
|
30 | 1 | ||
31 | 1 | Do you *really* need to create a new application? |
|
32 | 1 | Ver "Valid and Invalid Reasons for Additional Applications" en https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride |
|
33 | 1 | ||
34 | 1 | ||
35 | 1 | h2. Definiendo una nueva aplicacion |
|
36 | 1 | ||
37 | 1 | En una instalación por defecto, tenemos un SP fisico, un SP logico, y una aplicacion (default Application). |
|
38 | 1 | ||
39 | 1 | Si se quiere definir una nueva aplicación en el SP, o un nuevo SP logico: |
|
40 | 1 | ||
41 | 1 | # Definir un nuevo applicationId |
|
42 | 1 | # Configurar recursos web asociados (tipicamente apache config, usando directiva Location) |
|
43 | 1 | # Definir <ApplicationOverride> en shibboleth2.xml e indicar dentro de ese elemento la configuración para esa nueva aplicacion. |
|
44 | 1 | ||
45 | 1 | Aplican reglas de herencia de configuración, ver referencia. |
|
46 | 1 | ||
47 | 1 | ||
48 | 1 | *Si un SP fisico se quiere dividir en dos aplicaciones:* |
|
49 | 1 | ||
50 | 1 | The application is intended to take up the whole of a different virtual host, or is part of a web tree on a virtual host that includes multiple applications? |
|
51 | 1 | ||
52 | 1 | * Opcion 1: separacion por virtual host. Separation by virtual host is the recommended approach because it allows the new application to inherit the default application handlerURL of "/Shibboleth.sso" and greatly limits the amount of additional configuration work. It's also more secure. Ejemplo: |
|
53 | 1 | ** vhost1 - (logical)SP 1 with entityId1 - application 1 (default) |
|
54 | 1 | ** vhost2 - (logical)SP 2 with entityId2 - application 2 (applicationId=2) |
|
55 | 1 | ||
56 | 1 | * Opcion 2: Dividing up a virtual host, on the other hand, requires that you supply at minimum a new <Sessions> element with all of the necessary settings inside, particularly a distinct handlerURL that will be unique to, and be part of, the new application. |
|
57 | 1 | ||
58 | 1 | ||
59 | 1 | h2. Configuración: Application Override |
|
60 | 1 | ||
61 | 1 | Ref: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride |
|
62 | 1 | ||
63 | 1 | One of the most common things you'll do when creating an override is to assign it a special entityID, making it a distinct logical SP living inside the same physical installation (sometimes called "virtualize the SP"). This is done by adding an entityID property to the <ApplicationOverride> element: |
|
64 | 1 | ||
65 | 1 | <pre> |
|
66 | 1 | <ApplicationOverride id="myappname" entityID="https://myapp.example.org/shibboleth"/> |
|
67 | 1 | </pre> |
|
68 | 1 | ||
69 | 1 | ||
70 | 1 | ||
71 | 1 | ---------------- |
|
72 | 1 | ||
73 | 1 | h2. SP config <<<<<<<<<<<<< MOVER A SHIB SP CONFIG |
|
74 | 1 | ||
75 | 1 | shibboleth2.xml main sections: |
|
76 | 1 | ||
77 | 1 | # <RequestMapper> habitualmente omitido, se usan comandos apache |
|
78 | 1 | # <ApplicationDefaults> |
|
79 | 1 | ||
80 | 1 | WebSSO, tiene dos partes principales: |
|
81 | 1 | ||
82 | 1 | 1. Inicio de la interacción SessionInitiator genera AuthnRequest o envia a DiscoveryService (DS) |
|
83 | 1 | 2. Receive Response from IdP - Assertion Consumer Service (ACS): https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAssertionConsumerService |
|
84 | 1 | ||
85 | 1 | Elemento <SSO> en shibboleth2.xml representa servicio que agrupa funciones de los dos anteriores. |
|
86 | 1 | ||
87 | 1 | ||
88 | 1 | h2. Otras referencias: SWITCH |
|
89 | 1 | ||
90 | 1 | https://www.switch.ch/aai/support/presentations/sp-training-2014/T6-2-Shibboleth_SP_Virtualization.pdf |
|
91 | 1 | ||
92 | 1 | * Ejemplo con 1 host, 2 vhost. |
|
93 | 1 | * Separate entityID for each resource, (create keypairs for each) |
|
94 | 1 | * Each resource-logicalSP as separate entities with its respective att reqs. |
|
95 | 1 | * => 1 Phis. SP --> 2 Log. SP |
|
96 | 1 | ||
97 | 1 | h2. Otras referencias: UMBC |
|
98 | 1 | ||
99 | 1 | https://wiki.umbc.edu/display/MW/Configuring+and+Testing+a+New+Shibboleth+SP |
|
100 | 1 | ||
101 | 1 | Menciona escenario con una aplicacion con dos vhost, con un ACS para cada vhost. |
|
102 | 1 | ||
103 | 1 | Fragmento: Note about virtual hosts |
|
104 | 1 | ||
105 | 1 | If your web server includes one or more virtual hosts, and you want the SP to handle requests for these hosts, you need to add an extra set of Assertion Consumer Service (ACS) URLs for each virtual host to the SP's metadata. Just copy the default set of URLs and replace the domain names with the domain name of the virtual host. For example, if one of the ACS URLs is https://www.umbc.edu/Shibboleth.sso/SAML2/POST, and you want the SP to handle the virtual host aok.lib.umbc.edu, you need to add an ACS URL https://aok.lib.umbc.edu/Shibboleth.sso/SAML2/POST |
|
106 | 1 | ||
107 | 1 | Comentarios relacionados con esta opcion (NativeSPApplicationModel): |
|
108 | 1 | ||
109 | 1 | [An SP-application] includes one or more unique handlerURL locations that are specific to the application and are associated only with it. Requests to SP handlers, such as Assertion Consumer Services and Session Initiators, are always prefixed with this URL and are grouped together into the set of resources that make up the application. Usually this URL will contain the path /Shibboleth.sso. There is usually only a single such URL, but if an application spans multiple virtual hosts, then each of those virtual hosts will have its own (usually automatically generated) handlerURL. |
|
110 | 1 | ||
111 | 1 | ||
112 | 1 | h2. Ejemplo configuración (ambiente sp-test). |
|
113 | 1 | ||
114 | 1 | Escenario: se parte de la configuración por defecto del SP (1 SP fisico, 1 SP logico, 1 aplicacion (default)) y se agrega un segundo virtual host. En este caso no se consideró necesario agregar un nuevo SP logico o aplicación, por lo tanto solamente se agregó un ACS (AssertionConsumerService) para el segundo virtual host. |
|
115 | 1 | ||
116 | 1 | Detalles de la configuración: |
|
117 | 1 | ||
118 | 1 | # El SP inicialmente está en el host sp-test.seciu.edu.uy, con entityID=https://sp-test.seciu.edu.uy/idp/shibboleth |
|
119 | 1 | # Se agrega el virtual host con ServerName forma-desa.seciu.edu.uy. |
|
120 | 1 | # En la metadata del SP, se agrega el ACS para el nuevo virtual host, para esto se copia el ACS original, correspondiente al binding que se utiliza (HTTP-POST), y se modifica indicando el nombre de host nuevo y se ajusta el index para que no quede duplicado. Ejemplo de ACS agregado: |
|
121 | 1 | ||
122 | 1 | <pre> |
|
123 | 1 | <code class="xml"> |
|
124 | 1 | <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" |
|
125 | 1 | Location="https://forma-desa.seciu.edu.uy/Shibboleth.sso/SAML2/POST" index="7"/> |
|
126 | 1 | </code> |
|
127 | 1 | </pre> |