Shibboleth Studienarbeit 1 2005/2006

Andreas Eigenmann Armin Thommen Joël Stillhart

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Shibboleth: Studienarbeit 1 2005/2006 by Andreas Eigenmann, Armin Thommen, and Joël Stillhart tutor: Prof. Dr. Andreas Steffen

Published 10.02.2006

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Table of Contents

Executive summary ...... viii Management summary ...... ix 1. Situation ...... ix 2. Proceeding ...... ix 3. Results ...... x 4. Outlook ...... x 1. Introduction ...... 1 1. Conceptual formulation ...... 1 2. Introduction ...... 1 3. Overview Shibboleth ...... 2 2. Hostsystem for the Shibboleth demonstrator ...... 4 1. Basic Information ...... 4 2. User Mode Linux (UML) ...... 4 2.1. Needed packages ...... 5 2.2. Network environment ...... 5 3. Handle a Debian system ...... 5 3.1. Debian commands ...... 6 3.2. Configuration files ...... 6 4. Hostkernel ...... 7 4.1. Needed packages ...... 7 4.2. Get kernel and apply SKAS patch ...... 7 4.3. Kernel configuration, compiling and installation ...... 8 5. Creating a Debian root filesystem ...... 8 5.1. Needed packages ...... 8 5.2. Setting up the system ...... 8 3. Shibboleth demonstrator ...... 12 1. Components of the Shibboleth demonstrator ...... 12 2. Requirements ...... 13 3. Handling the Shibboleth demonstrator ...... 13 3.1. Configuration of the Shibboleth demonstrator ...... 14 3.2. Building the Shibboleth demonstrator ...... 14 3.3. Running the Shibboleth demonstrator ...... 14 3.4. Stopping the Shibboleth demonstrator ...... 14 4. Usage of the Shibboleth demonstrator ...... 15 5. Notes ...... 15 4. Shibboleth interactions ...... 16 5. LDAP backend ...... 27 1. Introduction ...... 27 1.1. What is LDAP? ...... 27 1.2. Usage of LDAP ...... 27 2. LDAP installation ...... 28 3. LDAP configuration ...... 28 3.1. slapd.conf ...... 28 3.2. ldap.conf ...... 30 4. Populate the LDAP ...... 31 4.1. Attribute overview ...... 31 4.2. Atribute definition ...... 33 4.3. LDIF Files ...... 40 4.4. Attribute configuration with a LDAP browser ...... 41 6. Identity Provider (IdP) ...... 45

iii

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Shibboleth

1. IdP description ...... 45 1.1. Introduction ...... 45 1.2. Tasks ...... 45 1.3. Components ...... 45 2. Installation and configuration of an identity provider ...... 46 2.1. Introduction ...... 46 2.2. Overview ...... 46 2.3. Prenotes ...... 47 2.4. JAVA 1.5 ...... 47 2.5. Tomcat 5.5 ...... 48 2.6. Shibboleth IdP 1.3c ...... 51 2.7. Central Authentication System (CAS) Single Sign On (SSO) - moon.shib- bolethtesting.org ...... 53 2.8. Client certificate based (PKI) Single Sign On (SSO) - sun.shibbolethtest- ing.org ...... 56 2.9. Server certificates and keystores ...... 58 2.10. Tomcat 5.5 configuration ...... 58 2.11. Shibboleth IdP 1.3c configuration ...... 59 7. Service Provider(SP) ...... 73 1. SP description ...... 73 1.1. Introduction ...... 73 1.2. Tasks of a SP ...... 73 1.3. Components ...... 73 1.4. Process flow ...... 74 2. Installation and configuration of a service provider ...... 75 2.1. Introduction ...... 75 2.2. Overview ...... 75 2.3. Prenotes ...... 75 2.4. Pretasks ...... 76 2.5. /C++ compilers and building tools ...... 77 2.6. Install libcurl library ...... 77 2.7. Log4cpp ...... 77 2.8. Xerces-C++ library ...... 78 2.9. XML-Security C++ library ...... 78 2.10. OpenSAML library ...... 79 2.11. Install Shibboleth SP 1.3 ...... 79 2.12. Server certificates ...... 80 2.13. Apache 2 configuration ...... 81 2.14. Shibboleth SP 1.3 configuration ...... 82 8. WAYF server ...... 93 1. What is a WAYF server ...... 93 2. Installation of the WAYF server ...... 93 3. Configuration of the WAYF server ...... 93 9. Certificates ...... 96 1. Keys and certificates ...... 96 1.1. Identity Provider ...... 96 1.2. Service Provider ...... 96 2. Creating certificates and keystore ...... 97 2.1. Creating Java keystore ...... 97 2.2. Java keystore with trusted CA certificates (Truststore) ...... 97 2.3. Creating certificates with TinyCA ...... 98 2.4. Create keystores ...... 100

iv

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Shibboleth

A. Timetable ...... 102 B. Empiric report ...... 103 1. Joël Stillhart ...... 103 2. Andreas Eigenmann ...... 103 3. Armin Thommen ...... 103 Bibliography ...... 105 Glossary ...... 106

v

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ List of Figures

1.1. Example implementation of an AAI environment ...... 2 2.1. Network diagram for the UML environment of the Shibboleth demonstrator ...... 5 3.1. Virtual demonstrator network ...... 13 4.1. Interactions in a Shibboleth project...... 16 4.2. Initial request...... 17 4.3. carol.shibbolethtesting.org certificate validation...... 17 4.4. Certificate storage...... 17 4.5. dave.shibbolethtesting.org certificate validation...... 18 4.6. WAYF page...... 19 4.7. moon.shibbolethtesting.org certificate validation...... 20 4.8. The login page...... 21 4.9. The user is forewarded to the initially requested page...... 25 4.10. The user attributes are displayed on the page...... 26 5.1. Quick connect window ...... 42 5.2. LDAP basic window ...... 42 5.3. Adding an new node ...... 43 5.4. Node settings ...... 43 5.5. Adding an attribute through contextmenu ...... 44 5.6. Adding an attribute through menu ...... 44 5.7. Attribute settings ...... 44 6.1. Illustration identity provider ...... 46 7.1. Illustration service provider ...... 74 7.2. Illustration of the Shibboleth process flow ...... 75 9.1. Creating a Root CA ...... 98 9.2. Creating a host certificate ...... 99 9.3. Requests for signing the certificates...... 99 9.4. Exporting the certificates...... 100 9.5. Importing the key pair ...... 101 9.6. Exporting the keystore...... 101

vi

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ List of Tables

5.1. Attribute Overview ...... 32 5.2. Unique ID (swissEduPersonUniqueID) ...... 34 5.3. Surname (sn) ...... 34 5.4. Given Name (givenName) ...... 34 5.5. Date of Birth (swissEduPersonDateOfBirth) ...... 34 5.6. Gender (swissEduPersonGender) ...... 35 5.7. Preferred Language (preferredLanguage) ...... 35 5.8. E-mail Address (mail) ...... 35 5.9. Home Postal Address (homePostalAddress) ...... 35 5.10. Business Postal Address (postalAddress) ...... 36 5.11. Private Phone Number (homePhone) ...... 36 5.12. Business Phone Number (telephoneNumber) ...... 36 5.13. Mobile Phone Number (mobile) ...... 36 5.14. Home Organization (swissEduPersonHomeOrganization) ...... 37 5.15. Home Organization Type (swissEduPersonHomeOrganizationType) ...... 37 5.16. Affiliation (eduPersonAffiliation) ...... 37 5.17. Study Branch 1 (swissEduPersonStudyBranch1) ...... 37 5.18. Study Branch 2 (swissEduPersonStudyBranch2) ...... 38 5.19. Study Branch 3 (swissEduPersonStudyBranch3) ...... 38 5.20. Study Level (swissEduPersonStudyLevel) ...... 38 5.21. Staff Category (swissEduPersonStaffCategory) ...... 38 5.22. Organization Path (eduPersonOrgDN) ...... 39 5.23. Organizational Unit Path (eduPersonOrgUnitDN) ...... 39 5.24. Group Membership (eduPersonEntitlement) ...... 39 5.25. System login name (uid) ...... 39 5.26. Password (userPassword) ...... 40 A.1. Timetable ...... 102

vii

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Executive summary

To handle access and permissions for different webresources, even from different or distributed organisations, a powerful and scalable application is needed. A sophisticated solution wich fulfills all these requirements is Shibboleth.

Shibboleth is an authentication and authorization environment, based on common webtechno- logies, developed and maintained by the Internet2 consortium.

The main advantages of Shibboleth are the scalability and the various authentication possibil- ities. Therefore Shibboleth can be integrated in already existing authentication mechanisms.

Our task was to set up a Shibboleth environment on user mode Linux with five different virtual hosts:

• Two Service Provider

• Two Identity Provider

• One "Where are you from" server

This Shibboleth demonstrator is supposed to be a teaching tool. It should help students and interested people to gain a detailed view on Shibboleth. In contrast to other simulations, on a User Mode Linux environment all the software is really installed and therfore can be configured independently. Another benefit is the size, because the packages for the Shibboleth demon- strator fits on one CD only, it is very useful for presentations and meetings. Further there is no need for any internet connection or installing any other software.

User Mode Linux (UML) is a Linux system on which other virtual Linux systems are running. On these virtual hosts we installed several components which were used by the Shibboleth application. These were basically Apache webserver, Tomcat webserver and LDAP. Then the Shibboleth application had to be configured, this included also a bunch of certificates and keystores. Further we had to adapt some scripts to start up the virtual instances. Because of the complexity, a big part of our work was the documentation wich included a manual for the internet security course lab.

Installing a software like Shibboleth, which includes several other software components, can be very intricate. Not only because some software components may change their versions, but also because the host systems change on a regular base. All this made it hard to arrange an applicable timetable. Since there were no severe problems, we were able to finish the given task in time.

viii

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Management summary 1. Situation

The Shibboleth environment is a topic in the internet security course at the University of Applied Sciences Rapperswil. The labs for the internet security course were based on a Strongswan user mode Linux with only two hosts. There was no wayf server included and no certificate authentication was possible. There exist no really good Shibboleth demonstrator for possible customers. On the web, there are some online demonstrators, but there it is not possible to see all the configuration files. But to understand and show how Shibboleth can be configured, access to this different components is necessary.

It is not very difficult to find some Shibboleth demo installations, even with some installation and configuration information. Here one example we found on the internet:

• Switch http://www.switch.ch/AAI

The demonstrations are all about the same, simple login and foreward. But to see behind the scene, none of them is very useful. They do not let you play with the configuration, adding users or adding other attributes.

The aim of this project was properly defined: a Shibboleth demonstrator on an User Mode Linux, with a manual for the internet security course lab.The demonstrator included five running UML instances:

• Two service providers (SP)

• Two identity providers (IdP)

• One where are you from server (wayf)

For the implementation we were free to use our preferd tools and we had also the possibility to implement the UML host in our favourite Linux distribution Debian. This made it easier for us and we could improve our skills in Debian Linux. For us it was also comfortable to build our user mode Linux on already existing scripts from the Strongswan project. 2. Proceeding

Since Shibboleth and User Mode Linux are not easy to understand, we spent a few hours getting into these topics. We mainly studied the manuals we found on the Switch and Internet2 webpage. Both of these institution have several complete installation and configuration guides. Information about User Mode Linux are not that popular on the internet. The best informaton we found on the user-mode-linux.org page.

We started with building up our host system with Debian Linux. This included downloading, installing, configure and patch the system for User Mode Linux usage.Then the root filesystems for the virtual hosts were built. With some scripting the instance could be started up. At this point the Shibboleth software and the webservers were installed.

ix

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Management summary

The configuration of the Shibboleth demonstrator was divided in several smaller parts, like in- stalling keystores on webservers, creating user and server certificates. The users in the LDAP directory had to be created and the attributes had to be defined.

During the installation no severe problems occured. As we were testing the application we re- cognized, that the client authentication at the identity provider failed. Temporarly we tried to bypass this problem by adding the client certificate in the IdP truststore. Because we had no idea what the exact problem was, we were not able to find a solution for weeks. Sniffing and analyzing traffic, reinstalling keystores, installing an other Tomcat version and posting in mailing lists did not solve our problem. As we made new certificates in TinyCA and intstalling them, we found out, that Tomacat differs between "user certificates" and "server certificates". We did not think of this , because normally application do not check this attribute.

We decided together with our tutor, that the authentication mechansim on the IdP "sun" will be certificate based.This was not defined at the begining, but we all thought, that client authentic- ation would be a nice example for the adaptabilty of Shibboleth.

Another interesting part of our work was to prepare the lab for the internet security course. We tried to fill the two lessons with exciting and useful tasks. After this lab, the students should know, how Shibboleth works and what the benefits are. In the first part the students read the chapters "Interactions", "Service provider", "Identity provider" and "LDAP" of this documentation. The sudents then should have an overview and they should be familiar with the terns used in the manuals. Further the students authenticate themselve, now they should have seen again how Shibboleth works. In the next task they add a new user to the LDAP, add attributes and create a certificate for this user. Then the students should be able to log on with this user cer- tificate. This shows how simple it can be, to add new users and how flexible Shibboleth is. Further the lab includes some technical questions. The answer can all be found in the docu- mentation. 3. Results

At the end we hand out a CD with the complete Shibboleth environment to our professor. To start the demonstrator the CD has only to be mounted and to be installed on a Linux system. This CD also contains the documentation, pictures and scripts for the Shibboleth demonstrator.

Since the Shibboleth demonstrator is working properly and all the features are implemented, we are allowed to say, that we accomplished the requirements.

Because Shibboleth is based on Open Source software only and also free of charge, we had no expenses. 4. Outlook

All the software for the Shibboleth environment is included in the virtual images on the CD. Therefore if a version of any software changes, there is no need to update the system. The Shibboleth demonstrator is running on every Linux system with the patch for User Mode Linux (SKAS3). Since the Shibboleth components are coordinated, it is not recommended to exchange components.

Because in the running environment five virtual instances are running, a lot of main memory is needed. So it is not recommended to run a lot of other software along with the Shibboleth demonstrator.

x

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Chapter 1. Introduction 1. Conceptual formulation

Shibboleth demonstrator in an User Mode Linux environment students: Andreas Eigenmann, Joël Stillhart, Armin Thommen tutor: Prof. Dr. Andreas Steffen start: 24th of octobre 2005 end: 10th of february 2006

Conceptual formulation

• Incorporate into the subjects of "Shibboleth", "Tomcat", "LDAP" and "User-Mode Linux".

• Setting up an UML root file system based on Gentoo Linux.

• Expand the existing Demonstrator with two identity providers(moon,sun), two service pro- viders (winnetou,carol) and a "Where are you from" server (dave) .It is possible to set up the identity providers directly as a Tomcat server without redirection over apache.

• On the identity providers set up a ldap server. Define user profiles for several test users.

• The final product should be a CD, with an UML Shibboleth environment which can be built up and started trough a script. Further on, create a detailed manual for the students which are visting the modul "Internet Sicherheit 2" and which want to become familiar with Shib- boleth. 2. Introduction

The Shibboleth system offers a powerful solution to share secured online services or access restricted digital content. At this time Shibboleth is already used as an authentication and au- thorisation infrastructure (AAI) at several institutions. The Shibboleth project was initiated and is now maintained by the Internet2/MACE (Middleware Architecture Committee for Education) 1 consortium.

For a number of reasons, resource owners may want to restrict the access to their resources (e.g. e-learning applications, research databases, e-journals etc.) to certain user groups, or provide user-specific contents. In both cases authentication and authorization are required.

1 Internet2 official home page, http://shibboleth.internet2.edu/ [http://shibboleth.internet2.edu/]

1

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Introduction

Figure 1.1. Example implementation of an AAI environment

In this student research project we are setting up an User Mode Linux (UML) environment with five instances. On these instances a whole shibboleth installation is simulated. Therefore it is much easier to get a overview over all the steps, made at a successful authentication and au- thorization process. Further the UML will be used as a template for the Internet security labs. There the students will configure some parts of a system to get a closer look at the Shibboleth impementation. 3. Overview Shibboleth

The Shibboleth architecture falls back on several existing technologies:

• Hypertext Transfer Protocol (HTTP)

• Extensible Markup Language (XML)

• XML Schema

• XML Signature

• SOAP1

• Security Assertion Markup Language (SAML)

All these technologies are required to set up an distributed AAI service. Later on we will have a closer look at this diffrent technologies and their configuration. Because the login process is quite complicated, we will first have a look on the single steps.

A fully featured Shibboleth installation can be divied in three parts:

• Service Provider (SP)

• Identity Provider (IDP)

2

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Introduction

• Where are you from server (WAYF)

3

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Chapter 2. Hostsystem for the Shibboleth demonstrator

This chapter describes the structure of the hostsystem and configuration of his components, which are needed to run an UML system. Further some Debian specific commands will be explained and an overview about the UML network will be given. 1. Basic Information

Below are some basic information about the hostsystem, on which the Shibboleth demonstrator is running.

• Distribution: Debian Etch (testing tree)

• Filesystem: ReiserFS

• Kernel version: 2.6.14

• SKAS3 patch version: 2.6.14-rc3-v9-pre7 2. User Mode Linux (UML)

User Mode Linux 1 is a Linux system on which other virtual Linux systems are running. UML stands for User Mode Linux and should not be mixed up with the Unified Modeling Language.

Here are some closer explanations how to set up a stable User Mode Linux System. For the detailed installation description go to the section "Hostkernel". First of all, a host system has to be compiled and patched with "SKAS3" patch. The patch has to be applied in order to raise the security and performance issues of the system.

It doesn't matter what kind of Linux is used and also for the host system you are free to choose your preferred Linux distribution. We had choosen the Debian 2 Distribution as our host system because Debian is a very stable and well maintained distribution, but also because were are most familiar with this Linux. In a later step we will migrate it on Gentoo 3 , because in the labs, this is the only available host system. The virtual hosts are based on Debian. There is no need to migrate them, because they also will be running on the Gentoo host system.

After the host is up and running we start setting up the virtual host systems. First we download the distribution for the virtual hosts, compile and patch it. After that, we create a new root filesystem (section "Creating a Debian root filesystem"). With some additional scripting we are able to start as many virtual instances on our host, as we like. Each virtual host owns an ip address, so the communication with the other hosts is warranted.

1 UML developer, http://user-mode-linux.sourceforge.net [http://user-mode-linux.sourceforge.net] 2 Debian Distribution, http://www.debian.org [http://www.debian.org] 3 Gentoo Distribution, http://www.gentoo.org [http://www.gentoo.org]

4

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Hostsystem for the Shibboleth demonstrator 2.1. Needed packages

To run a User Mode Linux, the package uml-utilities is needed. With the following command it can be installed.

# aptitude install uml-utilities

2.2. Network environment

The Shibboleth demonstrator UML network consists of five components: two identity providers, two service providers and one WAYF server. The figure below, shows the network structure.

Figure 2.1. Network diagram for the UML environment of the Shibboleth demonstrator 3. Handle a Debian system

The UML root filesystem is Debian Linux based. Like any other Linux distribution, also Debian has some special commands. For the use of the Shibboleth demonstrator, moderate Linux

5

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Hostsystem for the Shibboleth demonstrator skills are required. So we will only explain the Debian specific commands and configuration files. 3.1. Debian commands 3.1.1. aptitude (Package Management)

Aptitude is the frontend for APT (Advanced Packaging System) which handles the package system. Packages in Debian are available as binaries and source code packages. Normally packages will be installed as binaries.

• aptitude install mypackage Installs the package "mypackage" from the Debian package system.

• aptitude remove mypackage Removes the package with the name "mypackage".

• aptitude update Updates the package list of available packages.

• aptitude dist-upgrade Installs all new packages on the system (upgrades packages after a aptitude update).

• aptitude clean Deletes all downloaded packages (cleans the chache). 3.1.2. Kernel package system

To compile a kernel under Debian Linux please see the section "Hostkernel" below. 3.2. Configuration files 3.2.1. Aptitude

• /etc/apt/sources.list - Defines the hosts, where the packages for the distribution are located. 3.2.2. Network

• /etc/network/interfaces - Network interfaces and their corresponding ip addresses, netmask etc. can be defined. 3.2.3. Startup scripts

Debian Linux is a init based system. Init starts all programs on the basis of the appropriate rc levels through startup scripts, which are located in /etc/init.d/ . To set the right rc levels, the following commands will be used.

• update-rc.d mydeamon default Installs the rc links for the default runlevel of the startup script mydeamon ( /etc/init.d/mydeamon ).The default runlevel is a suitable value for most applications.

6

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Hostsystem for the Shibboleth demonstrator

• update-rc.d mydeamon remove Removes the rc links of the startup script mydeamon ( /etc/init.d/mydeamon ).The startup script self remains untouched. 4. Hostkernel

To run an UML system properly, a special patched kernel is needed. In this section we describe how to patch, compile and install a kernel with the Debian package system. 4.1. Needed packages

The packages below should be already installed: gcc, libc6-dev, binutils, make, gawk or mawk, gzip, shellutils, grep, bin86

To configure and compile a kernel with the Debian package system, two additional packages are needed.

# aptitude install libncurses5-dev kernel-package

Now the kernel package config file( /etc/kernel-pkg.conf ) can be altered. Only the value for the maintainer should be changed. 4.2. Get kernel and apply SKAS patch

We get the newest Vanilla kernel 4 :

# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.14.tar.bz2 and also the corresponding SKAS3 patch. 5

# wget http://www.user-mode-linux.org/~blaisorblade/patches/\ skas3-2.6/skas-2.6.14-rc3-v9-pre7/skas-2.6.14-rc3-v9-pre7.patch.bz2

Unpack and apply the patch:

# tar - xjvf linux-2.6.14.tar.bz2 # ln -s linux-2.6.14 linux # bunzip2 -v skas-2.6.14-rc3-v9-pre7.patch.bz2 # cd linux # patch -p1 < ../skas-2.6.14-rc3-v9-pre7.patch

4 Official kernel website, www.kernel.org [http://www.kernel.org] 5 Official SKAS3 website, www.user-mode-linux.org/~blaisorblade/ [http://www.user-mode-linux.org/~blaisorblade/]

7

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Hostsystem for the Shibboleth demonstrator 4.3. Kernel configuration, compiling and installation

Before the kernel can be compiled, we have to configure it. The /proc/mm feature under "Pro- cessor type and features" and TUN/TAP under "Network device support" have to be enabled. The kernel can be configured through the following command:

# cd /usr/src/linux # make menuconfig

Now we are able to compile the kernel through the Debian package system. The result will be a Debian package file.

# make-kpkg clean # make-kpkg --append-to-version=.skas-kernel-01 --revision=1.0 kernel_image

The Debian package file can be installed with the following commands:

# cd /usr/src # dpkg -i "yourKernel.deb"

5. Creating a Debian root filesystem 5.1. Needed packages

To set up a root filesystem with Debian, the debootstrap utility, which is responsible for the in- stallation of the base system, is needed. Debootstrap can be installed through the Debian package system with the following command.

# aptitude install debootstrap

5.2. Setting up the system

Before we can download and install our system with debootstrap, we have to create an image and mount it to a loop device, which will be mounted in a directory. For the filesystem we use ReiserFS because this is a common and stable journaling filesystem.

# mkdir /usr/local/rootFS # mkdir /mnt/rootFS # cd /usr/local/rootFS # dd if=/dev/zero of=./root_fs-reiser bs=1024k count=1000

8

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Hostsystem for the Shibboleth demonstrator

# mkreiserfs -f root_fs-reiser # losetup /dev/loop0 root_fs-reiser # mount /dev/loop0 /mnt/rootFS # cd /mnt/rootFS # /usr/sbin/debootstrap --arch i386 etch /mnt/debinst \ http://mirror.switch.ch/ftp/mirror/debian/

The base system is now installed. For an easier configuration of the UML root filesystem we copy some files (e.g. network and DNS configuration files) from the host system to the image.

# cp /etc/network/interfaces /mnt/rootFS/etc/network/interfaces # cp /etc/apt/sources.list /mnt/rootFS/etc/apt/sources.listNew # cp /etc/resolv.conf /mnt/rootFS/etc/resolv.conf # cp /etc/hosts /mnt/rootFS/etc/hosts

The next step is the configuration of the Debian base system. For this purpose we have to switch to our virtual system with chroot.

# chroot /mnt/rootFS # passwd root # mount /proc

APT is the package system from Debian. To install Debian packages from the mirrors we have to configure apt.

# apt-setup # mv /etc/apt/sources.listNew /etc/apt/sources.list # aptitude update # aptitude upgrade # dpkg -P pcmcia-cs # aptitude install locales # aptitude clean

After we have updated our system and installed the locales, they can be configured with the following commands. In the menu we enabled the locals swiss, en_US, en_GB and en_US.UTF- 8.

# dpkg-reconfigure locales # dpkg-reconfigure console-data

We adjust the time by setting a symlink from the right timezone to localtime.

# ln -sf /usr/share/zoneinfo/Europe/Zurich /etc/localtime

9

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Hostsystem for the Shibboleth demonstrator

Debian GNU/Linux supports the GlibC Native Posix Threads Library (NPTL) but the 2.6 UML Linux Kernel does not. So we have to rename the /lib/tls directory.

# mv /lib/tls /lib/tls.disable

By default, all virtual terminals are enabled. To prevent a terminalflooding after starting the UML instances, all unnecessary terminals are disabled. Below are the files /etc/inittab and /etc/securetty with the correct tty's and the excluded with a "#".

# nano -w /etc/inittab

0:2345:respawn:/sbin/getty38400 tty0 1:2345:respawn:/sbin/getty 38400 tty1 #2:23:respawn:/sbin/getty 38400 tty2 #3:23:respawn:/sbin/getty 38400 tty3 #4:23:respawn:/sbin/getty 38400 tty4 #5:23:respawn:/sbin/getty 38400 tty5 #6:23:respawn:/sbin/getty 38400 tty6

# nano -w /etc/securetty

#Standard consoles tty0 ...

For the UML instances, we have to adapt the /etc/fstab file, where the devices for the root and the proc file system have to be set. The proc filesystem isn't needed later for the uml in- stances. It is only used for the installation of the root file system and should be out-commentated later.

# echo "# file-system mount-point type options dump pass" > /etc/fstab # echo "/dev/ubd0 / reiserfs defaults 0 0" >> /etc/fstab # echo "proc /proc proc defaults 0 0" >> /etc/fstab

At the end, devices for the uml instances have to be generated and the proc filesystem should be unmounted.

# cd /dev # for i in 0 1 2 3 4 5 6 7; do mknod ubda$i b 98 $i; done # umount /proc # exit

After leaving the chroot environment the linkage of the directories should be assembled.

10

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Hostsystem for the Shibboleth demonstrator

# lsof -a /mnt/rootFS/ # cd / # umount /mnt/rootFS # losetup –d /dev/loop0

11

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Chapter 3. Shibboleth demonstrator

This chapter describes the requirements to run the Shibboleth demonstrator and it's handling. 1. Components of the Shibboleth demon- strator

The Shibboleth demonstrator consists of five components. These are:

• sun.shibbolethtesting.org - Identitiy provider with client authentication based on browser certificates. One browser certificate is available in the directory Certificates on the CD.

• moon.shibbolethtesting.org - Identitiy provider which authenticates the user on the basis of username and password. Possible values are:

• username: ddiggler, password: tuxmux

• username: mpowers, password: tuxmux

• username: sshine, password: tuxmux

• username: sspitz, password: tuxmux

• carol.shibbolethtesting.org - Service provider which provides the secure web application on https://carol.shibbolethtesting.org/secure . The PHP application on it will show user attributes after a successfull authentication on a identity provider.

• winnetou.shibbolethtesting.org - Service provider which provides the secure web application on https://winnetou.shibbolethtesting.org/secure . The PHP application on it will show user attributes after a successfull authentication on a identity provider.

• dave.shibbolethtesting.org - WAYF server of the Shibboleth demonstrator. On a WAYF server a user can choose his home organisation where he would like to authenticate himself.

12

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Shibboleth demonstrator

Figure 3.1. Virtual demonstrator network 2. Requirements

To run the Shibboleth demonstrator successfully, the following requirements have to be fullfilled:

• a modern x86 host system with Linux installed ( at least 2.6.9 Kernel with SKAS 3 patch)

• at least 1024MB memory

• enough hard disk memory - one builded Shibbolethdemostrater needs 5GB memory

• the uml-utilities packages to run UML instances have to be installed

• tuxmux - password for the UML instances (loginname is root) 3. Handling the Shibboleth demonstrator

The Shibboleth demonstrator will be delivered on a CD. The CD contains everything what is needed to configure, build, run and stop the Shibboleth demonstrator. The Shibboleth demonstrator CD contains the following components:

• debian-RootFS.tbz2 - Debian root filesystem for the UML instances

• linux-2.6.14.tar.bz2 - Kernel for the UML instances

• .config-2.6.14 - configuration file for the UML Kernel

• testing.tbz2 - the files and scripts to run the Shibboleth demonstrator

13

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Shibboleth demonstrator

The Shibboleth demonstrator has to run with super user rights. Login as root is well. By default the Shibboleth demonstrator is placed in the directory /root/ShibbolethTesting . The directory is copied from the CD to the /root directory.

# cp -r /media/cdrom0/ShibbolethTesting /root/

To use the Shibboleth demonstrator the file testing.tbz2 has to be unpacked and hosts has to be copied.

# cd /root/ShibbolethTesting # tar -xjvf testing.tbz2 # cp hosts /etc/

Now is ready to configure the Shibboleth demonstrator. 3.1. Configuration of the Shibboleth demonstrator

The configuration of the Shibboleth demonstrator is made in the file /root/ShibbolethT- esting/testing/testing.conf . With the default values the system should now run, if the requirements as described above, are fullfilled. 3.2. Building the Shibboleth demonstrator

To build the Shibboleth demonstrator only the command ./make-testing in the directory /root/ShibbolethTesting/testing/ has to be executed. Based on the output messages in the shell it is possible to see the success of the different building tasks. If the building process is successfull, five xterms will be started. 3.3. Running the Shibboleth demonstrator

The Shibboleth demonstrator can be started with a particular or all virtual hosts. The following starting commands are allowed:

• ./start-testing This is the default mode, all instances will be started

• ./start-testing moon carol dave Only the instances moon, carol and dave will be started. It's is possible to start all combin- ations of hosts. Valid values for the hostnames are moon, carol, dave, sun, winnetou. 3.4. Stopping the Shibboleth demonstrator

The Shibboleth demonstrator can only be stopped manually. So, we have to login to our UML instances and halt them. E.g.

...

14

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Shibboleth demonstrator

Debian GNU/Linux testing/unstable carol tty0 carol login: root Password: tuxmux

# halt

4. Usage of the Shibboleth demonstrator

After the Shibboleth demonstrator is started, a user can access to the web applications with a web browser.The following webressources are available: https://carol.shibboletht- esting.org/secure and https://winnetou.shibbolethtesting.org/secure . After an access to a web application a user is redirected to the WAYF server where he chooses his home organisation for the authentication. After a successfull authentication, the user will have access to the PHP web ressource on the choosen service provider. 5. Notes

1. Is the "remember function" on the WAYF selected, it is not possible to choose an other IdP, until the browser is closed. This is because the session is still valid for the choosen identity provider.

2. If it is not possible to access the web ressources with the browser, even the Shibboleth demonstrater was started before, it should be examined with ping , if the instances are available. If not, the instances should be stopped and restarted. If this also does not work, the computer has to be restarted.

3. When a user runs the Shibboleth demonstrator with only 512MB memory the Shibboleth- demonstrator and the host system does not run properly. The following symptoms can occur:

• Tomcat Out of Memory Exceptions in the UML instances.

• Non performant applications on the host system.

15

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Chapter 4. Shibboleth interactions

This chapter describes how the Shibboleth life cycle works. The explanations are based on pictures with notes, http and SAML code fragments. Each single step in the figure below is described in the following listing.

Figure 4.1. Interactions in a Shibboleth project.

1. User establishes connection to the service provider (carol.shibbolethtesting.org). The re- quest for the protected resource is made with a regular https "GET". Because a secure connection is established and the root certificates are not included in the browser, a pop up window [ Figure 4.3 ] is displayed.This pop up window is followed by another [ Figure 4.4 ] , where you are free to choose wheter you want to store it for the current session only, or for always.

GET /secure/ HTTP/1.1 Host: carol.shibbolethtesting.org

16

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Shibboleth interactions

Figure 4.2. Initial request.

Figure 4.3. carol.shibbolethtesting.org certificate validation.

Figure 4.4. Certificate storage.

2. If the user is not registeres yet, he will be forewarded to the WAYF Server (dave.shibboletht- esting.org). The decision of the service provider, whether you will be accepted or not, is based on the occurence of the session cookie.

HTTP/1.x 302 Found

Location: https://dave.shibbolethtesting.org/shibboleth-wayf/WAYF\ ?shire=https://carol.shibbolethtesting.org/Shibboleth.sso\ &target=https://carol.shibbolethtesting.org/secure/\

17

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Shibboleth interactions

&providerId=https:urn:mace:shibbolethtesting.org:carol

The foreward is made trough the browser of the user, therefore a new http request has to be sent.(Step 2.1)

GET /shibboleth-wayf/WAYF\ ?shire=https://carol.shibbolethtesting.org/Shibboleth.sso\ &target=https://carol.shibbolethtesting.org/secure/\ &providerId=urn:mace:shibbolethtesting.org:carol HTTP/1.1 Host: dave.shibbolethtesting.org

3. The WAYF Server sends back a simple webpage where the user chooses his home (identity provider) location in a scroll bar. Before the certificate pop up dialog will be dis- played again.

HTTP/1.x 200 OK Set-Cookie: JSESSIONID=ABA262C37103B02AB65D16B1D0EB3359; Path=/xxx; Secure Content-Type: text/html;charset=ISO-8859-1

[... HTML Code ...]

Figure 4.5. dave.shibbolethtesting.org certificate validation.

18

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Shibboleth interactions

Figure 4.6. WAYF page.

4. The user submits his selection with the following request:

GET /shibboleth-wayf/WAYF\ ?shire=https://carol.shibbolethtesting.org/Shibboleth.sso\ &target=https://carol.shibbolethtesting.org/secure/\ &action=selection\ &origin=urn:mace:shibbolethtesting.org:moon\ &cache=TRUE HTTP/1.1 Host: dave.shibbolethtesting.org Cookie: JSESSIONID=ABA262C37103B02AB65D16B1D0EB3359

5. The WAYF server stores the choice in a cookie (only if desired) and forewards the user to the choosen identity provider.

HTTP/1.x 302 Moved Temporarily Set-Cookie: edu.internet2.middleware.shibboleth.wayf.selectedHandleService=\ https://moon.shibbolethtesting.org/shibboleth-idp/SSO; Path=/ Location: https://moon.shibbolethtesting.org/shibboleth-idp/SSO\ ?target=https://carol.shibbolethtesting.org/secure/\ &shire=https://carol.shibbolethtesting.org/Shibboleth.sso

Here again the new GET requests of the browser. (Step 5.1)

19

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Shibboleth interactions

GET /shibboleth-idp/SSO\ ?target=https://carol.shibbolethtesting.org/secure/\ &shire=https://carol.shibbolethtesting.org/Shibboleth.sso HTTP/1.1 Host: moon.shibbolethtesting.org

6. The user is forewarded to the corresponding authentication server.

HTTP/1.x 200 OK Set-Cookie: JSESSIONID=C5766808E41D3C64BFBD3839D6701730; Path=/shibboleth-idp; Secure [...] Location: https://moon.shibbolethtesting.org/cas/login ?service=https://moon.shibbolethtesting.org/shibboleth-idp/SSO &https://carol.shibbolethtesting.org/Shibboleth.sso &target&https://carol.shibbolethtesting.org/secure &providerId=urn:mace:shibbolethtesting.org:carol

The Browser then requests the login page.

GET /cas/login ?service=https://moon.shibbolethtesting.org/shibboleth-idp/SSO &https://carol.shibbolethtesting.org/Shibboleth.sso &target&https://carol.shibbolethtesting.org/secure &providerId=urn:mace:shibbolethtesting.org:carol HTTP/1.1 Host: moon.shibbolethtesting.org Cookie: _saml_idp=dXJuOm1hY2U6c3dpdGNoLmNoOlNXSVRDSGFhaTp1bmlnZS5jaA+

7. On the home organisation (IdP) the user has to prove his identity by sending his credentials. Therefore a login page is displayed.

HTTP/1.x 200 OK Content-Type: text/html; charset=iso-8859-1

[... HTML Code ...]

Figure 4.7. moon.shibbolethtesting.org certificate validation.

20

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Shibboleth interactions

Figure 4.8. The login page.

8. The form with the credentials is sent back and verified by the authorization service.

/cas/login ?service=https://moon.shibbolethtesting.org/shibboleth-idp/SSO &shire=https://carol.shibbolethtesting.org/Shibboleth.sso &target=https://carol.shibbolethtesting.org/secure &providerId=urn:mace:shibbolethtesting.org:carol HTTP/1.1 Host: moon.shibbolethtesting.org Cookie: cas_pre_s=rcAHSqG62uVW7zGdRxKtnpdIWg7IFiwXihvObdaYa7mFI3qR4RYfm6F\ [...] hSNjSOxMUT68kuDApIWngwxPfVaggG; cas_g_req=clear Content-Type: application/x-www-form-urlencoded Content-Length: 61 username=mpowers&password=tuxmux=LT-27-3fKACnZWQlYd8T4Md08p

9. In case of an successful verification the user is redirected again.

HTTP/1.x 302 Moved Temporarily Set-Cookie: CASTGC=TGC-13-jpZHue4IXosIiVGyy6vrGcj3YOO0H3mRvjcpEqMK0EU8gFS6RC; Path=/cas; Location: https://moon.shibbolethtesting.org/shibboleth-idp/SSO ?shire=https://carol.shibbolethtesting.org/Shibboleth.sso &target=https://carol.shibbolethtesting.org/secure &providerId=urn:mace:shibbolethtesting.org:carol &ticket=ST-17-lGFPJrLWJva134whvhxZ Set-Cookie: CASTGC=TGC-13-jpZHue4IXosIiVGyy6vrGcj3YOO0H3mRvjcpEqMK0EU8gFS6RC; Path=/cas; Secure

21

XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ Shibboleth interactions

This time the user is forewarded to the handle server.(Step 9.1)

GET /shibboleth-idp/SSO\ ?target=https://carol.shibbolethtesting.org/secure/\ &shire=https://carol.shibbolethtesting.org/Shibboleth.sso &ticket=ST-17-lGFPJrLWJva134whvhxZ HTTP/1.1 Host: moon.shibbolethtesting.org Cookie: JSESSIONID=C5766808E41D3C64BFBD3839D6701730; _saml_idp=dXJuOm1hY2U6c3d

10. If the user is authenticated a handle is generated.

HTTP/1.x 200 OK Set-Cookie: cas_g=; domain=.shibbolethtesting.org; path=/; expires=Fri,\ [...]

[... HTML Code ...]