|
Size: 838
Comment:
|
Size: 12330
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| == Developer Evaluation == | = Developer Evaluation = |
| Line 3: | Line 3: |
| In February 2006 we asked the developers from the BRIDGES and DyVOSE projects to answer a few brief questions. Contact details confirmed at http://www.nesc.ac.uk/nesc/team.html with biographies. | In February 2006 we asked the developers from the BRIDGES and DyVOSE projects to answer a few brief questions. Contact details confirmed at http://www.nesc.ac.uk/nesc/team.html with biographies. We asked the developers to considering specifically the Shibbolizing of the Bridges web portal and DyVOSE work, and all the myriad of steps which had to be completed to make this work (PERMIS, whatever), and asked them to please identify for us: 1. what did you find difficult? 1. what makes Shibboleth a good solution for accessing a service like Bridges or the DyVOSE data? 1. what issues can you see in a real-world production of this with 100s of users, maybe a commercial data provider, issues for the future etc.? 1. what scalability issues can you identify? 1. how could the access control you've implemented be subverted by e.g. a bad person, or by an expert trying to get round the system for their own convenience, or by a careless user? |
| Line 5: | Line 10: |
| We used the "naively"-formed scenario: | To spark some real-world flavour we used the "naively"-formed scenario: |
| Line 14: | Line 20: |
| == Responses Received == | = Responses Received = |
| Line 18: | Line 24: |
| * Micha Bayer (ROS: '''Grid/BLAST person and portlets, globus''') | * Micha Bayer * (ROS: ''Grid/BLAST person and portlets, globus'') * Micha: ''Please do bear in mind that I was only involved in this peripherally - I wrote the gridblast portlet and service which Jipu then continued to Shib-enable, so my knowledge of Shib is very limited indeed.'' |
| Line 25: | Line 33: |
| === | = Results = ||'''Question''' || '''Developer''' || '''Answer''' || ||'''1. what did you find difficult?''' || || || || || Micha Bayer || can't really comment as I was not involved in Shib-specific functionality || || || Jipu Jiang || || || || Anthony Stell || || || || John Watt || Finding a compatible platform that didn't need everything built from source - which I could never get to work. Fedora Core 4 did the trick though, I would heartily recommend a flexible attitude to OS, considering there are quite a few dependent packages that need to be installed. The input that an established federation can provide, in our case the SDSS federation, proved to be invaluable in getting Shibbed in a short period of time (days rather than weeks - the federation normally responded to queries within 24 hours) plus the IdPs and SPs can be configured and tested separately before joining them together. || || || || || ||'''2. what makes Shibboleth a good solution for accessing a service like Bridges or the DyVOSE data?''' || || || || || Micha Bayer || It looks quite promising to me, especially for a academia-type environment where we would want to, say, give access to an application for anyone in Scotland as part of a Scottish grid. We would then not have to worry about managing our own user base but instead have arrangements with all other Scottish unis etc. This obviously relies on us being able to trace user activity and user origin/details, for example because NGS as a an end resource dictates this to us under the existing agreement. So as long as we can extract a user's DN programmatically from whithin the portal (can we?) it would be a good solution for us. That way offending users could be tracked and hopefully dealt with at their home institution. || || || Jipu Jiang || || || || Anthony Stell || || || || John Watt || It is very easy to tailor attribute release/acceptance once Shibb is running. Adding other projects to our infrastructure was not difficult. We interfaced Shibb with GridSphere successfully, and bypassed the GridSphere login to use the mod_auth_ldap authentication. The SSO capabilities of Shibb are desirable in our Grid context. || || || || || ||'''3. what issues can you see in a real-world production of this with 100s of users, maybe a commercial data provider, issues for the future etc.?''' || || || || || Micha Bayer || as in my previous point - can't think of anything else just now || || || Jipu Jiang || || || || Anthony Stell || || || || John Watt || see scalability below || || || || || ||'''4. what scalability issues can you identify?''' || || || || || Micha Bayer || A system where you have no real estimate of your '''potential''' user numbers is hard to build. This is really what it boils down to when you open things to big institutions like other universities. You would ideally want to strike a balance and devise a system which handles roughly the load you expect, but with larger numbers of potential users the load becomes harder to estimate. I guess building extensibility into the system from the start would be the answer here. || || || Jipu Jiang || || || || Anthony Stell || || || || John Watt || We are adopting the PERMIS role-based Access control system for authorization, which by adopting a privilege management infrastructure we hope to avoid scalability problems associated with Access Control Lists. DyVOSE is investigating dynamic delegation, which eventually will allow separate institutions to form a VO without rewriting their local security policies (we demonstrate a simplified version of this between Glasgow and Edinburgh). NeSC Glasgow is now starting to look at performance aspects of portal technology which will feed into any investigation of high-load Shibb use now our user base is increasing. || || || || || ||'''5. how could the access control you've implemented be subverted by e.g. a bad person, or by an expert trying to get round the system for their own convenience, or by a careless user?''' || || || || || Micha Bayer || the others are in a better position to anser this as this again is really Shib-specific. || || || Jipu Jiang || || || || Anthony Stell || || || || John Watt || Unless you tailor your firewall properly it is quite easy for someone who knows the system is there just to reference the U R L : port [XXXX AE: written like this to cheat the wiki formatting!] directly to gain access to the Shibbed portal, and bypass authentication. If a user on a public computer doesn't log out of a session he has requested to be remembered by the IdP, it is possible that someone can re-use his session to gain access to other federation sites, which would be the same problem as if his password got stolen. || ||Oluwafemi Ajayi's response ||<-2 :> '''step-by-step''' || || ||<-2 :> 1. A user connects to the portal; he is redirected to SDSS (WAYF host) for single sign-on (SSO). # Shibboleth protects resources hosted on apache but our portal is hosted on Tomcat. We use mod_jk in a sense to bridge apache and tomcat so that Shibboleth can indirectly protect tomcat services. Because mod_jk allows apache to wrap tomcat services, it will be difficult for a hacker to directly access a tomcat service. In my experience, there seems not to be a performance issue for using mod_jk as a wrapper/bridge. || || ||<-2 :> 2. User is redirected to the origin site for sign-on || || ||<-2 :> 3. User provides authentication information through their IdP (authentication site) and a SAML authentication assertion (identity handle) is returned to the portal (service provider). # In reality, the SDSS stores a cookie on the user's browser to identify the user's IdP for single-sign-on purposes. The identity handle is also stored as a cookie on the user's browser for subsequent access to other service provider in the federation. In my own view the use of cookies poses security risks such as identity theft. # If a user turned off cookies in their browser then SSO cannot be achieved. Also if a user switches browser say from IE to Firefox, they will have to re-authenticate. # We implemented out identity provider using LDAP to provide authentication services for local users. || || ||<-2 :> 4. The service provider request user attributes from the IdP using the identity handle. || || ||<-2 :> 5. Ideally user's attribute certificates are returned as SAML responses to the service provider. # Our IdP releases attributes using the LDAP server we set up. The identity handle is used to query the LDAP for user attributes. # Because of the way GridSphere (Portal technology) handles data in headers, attributes are returned as "short" strings to the portal. This currently is not secured, but we are working on a better solution such as SAML assertion compression/hashing. || || ||<-2 :> 6. The portal uses attributes to interact with Grid services e.g. blast service. # From our point of view there are no performance issues or further security risks from this point. || || ||<-2 :> 7. Security questions really are: What do you do with attributes once exchanged at the service providers' side? What type of PMI does the service provider have? Can the PMI be driven with attributes such as Roles or DN? || || ||<-2 :> 8. A none cookie solution will make current Shibboleth implementation more secure. The SSO of shib makes it a good authentication solution for services like blast but it is not enough for authorisation. A service like blast would have to be designed to do authorisation using attributes. At the moment we are pushing attributes to service providers, but a pull model is better in some scenarios (i.e. requesting attributes only when needed). || || ||<-2 :> 9. At the moment (based on push mode) scalability issues lies at the Service provider, but if in pull model, services would have serious scalability issues. || || ||<-2 :> 10. Security and SSO will be greatly improved if shibboleth works with OS and not browsers. || |
Developer Evaluation
In February 2006 we asked the developers from the BRIDGES and DyVOSE projects to answer a few brief questions. Contact details confirmed at http://www.nesc.ac.uk/nesc/team.html with biographies. We asked the developers to considering specifically the Shibbolizing of the Bridges web portal and DyVOSE work, and all the myriad of steps which had to be completed to make this work (PERMIS, whatever), and asked them to please identify for us:
- what did you find difficult?
- what makes Shibboleth a good solution for accessing a service like Bridges or the DyVOSE data?
- what issues can you see in a real-world production of this with 100s of users, maybe a commercial data provider, issues for the future etc.?
- what scalability issues can you identify?
- how could the access control you've implemented be subverted by e.g. a bad person, or by an expert trying to get round the system for their own convenience, or by a careless user?
To spark some real-world flavour we used the "naively"-formed scenario:
To the developer: Scenario: Please imagine you've by chance met a manager of a faculty resource in the corridor, and he/she knows of your experience and naively thinks you're the person who can just Shibb their target - "This afternoon, if you've time?"
Responses Received
We are extremely grateful to the following for responding so promptly to our scenario:
- Oluwafemi Ajayi
- Micha Bayer
(ROS: Grid/BLAST person and portlets, globus)
Micha: Please do bear in mind that I was only involved in this peripherally - I wrote the gridblast portlet and service which Jipu then continued to Shib-enable, so my knowledge of Shib is very limited indeed.
- Jipu Jiang
- Anthony Stell
- John Watt
The results can be seen below.
Results
Question |
Developer |
Answer |
1. what did you find difficult? |
|
|
|
Micha Bayer |
can't really comment as I was not involved in Shib-specific functionality |
|
Jipu Jiang |
|
|
Anthony Stell |
|
|
John Watt |
Finding a compatible platform that didn't need everything built from source - which I could never get to work. Fedora Core 4 did the trick though, I would heartily recommend a flexible attitude to OS, considering there are quite a few dependent packages that need to be installed. The input that an established federation can provide, in our case the SDSS federation, proved to be invaluable in getting Shibbed in a short period of time (days rather than weeks - the federation normally responded to queries within 24 hours) plus the IdPs and SPs can be configured and tested separately before joining them together. |
|
|
|
2. what makes Shibboleth a good solution for accessing a service like Bridges or the DyVOSE data? |
|
|
|
Micha Bayer |
It looks quite promising to me, especially for a academia-type environment where we would want to, say, give access to an application for anyone in Scotland as part of a Scottish grid. We would then not have to worry about managing our own user base but instead have arrangements with all other Scottish unis etc. This obviously relies on us being able to trace user activity and user origin/details, for example because NGS as a an end resource dictates this to us under the existing agreement. So as long as we can extract a user's DN programmatically from whithin the portal (can we?) it would be a good solution for us. That way offending users could be tracked and hopefully dealt with at their home institution. |
|
Jipu Jiang |
|
|
Anthony Stell |
|
|
John Watt |
It is very easy to tailor attribute release/acceptance once Shibb is running. Adding other projects to our infrastructure was not difficult. We interfaced Shibb with GridSphere successfully, and bypassed the GridSphere login to use the mod_auth_ldap authentication. The SSO capabilities of Shibb are desirable in our Grid context. |
|
|
|
3. what issues can you see in a real-world production of this with 100s of users, maybe a commercial data provider, issues for the future etc.? |
|
|
|
Micha Bayer |
as in my previous point - can't think of anything else just now |
|
Jipu Jiang |
|
|
Anthony Stell |
|
|
John Watt |
see scalability below |
|
|
|
4. what scalability issues can you identify? |
|
|
|
Micha Bayer |
A system where you have no real estimate of your potential user numbers is hard to build. This is really what it boils down to when you open things to big institutions like other universities. You would ideally want to strike a balance and devise a system which handles roughly the load you expect, but with larger numbers of potential users the load becomes harder to estimate. I guess building extensibility into the system from the start would be the answer here. |
|
Jipu Jiang |
|
|
Anthony Stell |
|
|
John Watt |
We are adopting the PERMIS role-based Access control system for authorization, which by adopting a privilege management infrastructure we hope to avoid scalability problems associated with Access Control Lists. DyVOSE is investigating dynamic delegation, which eventually will allow separate institutions to form a VO without rewriting their local security policies (we demonstrate a simplified version of this between Glasgow and Edinburgh). NeSC Glasgow is now starting to look at performance aspects of portal technology which will feed into any investigation of high-load Shibb use now our user base is increasing. |
|
|
|
5. how could the access control you've implemented be subverted by e.g. a bad person, or by an expert trying to get round the system for their own convenience, or by a careless user? |
|
|
|
Micha Bayer |
the others are in a better position to anser this as this again is really Shib-specific. |
|
Jipu Jiang |
|
|
Anthony Stell |
|
|
John Watt |
Unless you tailor your firewall properly it is quite easy for someone who knows the system is there just to reference the U R L : port [XXXX AE: written like this to cheat the wiki formatting!] directly to gain access to the Shibbed portal, and bypass authentication. If a user on a public computer doesn't log out of a session he has requested to be remembered by the IdP, it is possible that someone can re-use his session to gain access to other federation sites, which would be the same problem as if his password got stolen. |
Oluwafemi Ajayi's response |
step-by-step |
|
|
1. A user connects to the portal; he is redirected to SDSS (WAYF host) for single sign-on (SSO). # Shibboleth protects resources hosted on apache but our portal is hosted on Tomcat. We use mod_jk in a sense to bridge apache and tomcat so that Shibboleth can indirectly protect tomcat services. Because mod_jk allows apache to wrap tomcat services, it will be difficult for a hacker to directly access a tomcat service. In my experience, there seems not to be a performance issue for using mod_jk as a wrapper/bridge. |
|
|
2. User is redirected to the origin site for sign-on |
|
|
3. User provides authentication information through their IdP (authentication site) and a SAML authentication assertion (identity handle) is returned to the portal (service provider). # In reality, the SDSS stores a cookie on the user's browser to identify the user's IdP for single-sign-on purposes. The identity handle is also stored as a cookie on the user's browser for subsequent access to other service provider in the federation. In my own view the use of cookies poses security risks such as identity theft. # If a user turned off cookies in their browser then SSO cannot be achieved. Also if a user switches browser say from IE to Firefox, they will have to re-authenticate. # We implemented out identity provider using LDAP to provide authentication services for local users. |
|
|
4. The service provider request user attributes from the IdP using the identity handle. |
|
|| ||<-2 :> 5. Ideally user's attribute certificates are returned as SAML responses to the service provider. # Our IdP releases attributes using the LDAP server we set up. The identity handle is used to query the LDAP for user attributes. # Because of the way GridSphere (Portal technology) handles data in headers, attributes are returned as "short" strings to the portal. This currently is not secured, but we are working on a better solution such as SAML assertion compression/hashing. ||
|
6. The portal uses attributes to interact with Grid services e.g. blast service. # From our point of view there are no performance issues or further security risks from this point. |
|
|
7. Security questions really are: What do you do with attributes once exchanged at the service providers' side? What type of PMI does the service provider have? Can the PMI be driven with attributes such as Roles or DN? |
|
|
8. A none cookie solution will make current Shibboleth implementation more secure. The SSO of shib makes it a good authentication solution for services like blast but it is not enough for authorisation. A service like blast would have to be designed to do authorisation using attributes. At the moment we are pushing attributes to service providers, but a pull model is better in some scenarios (i.e. requesting attributes only when needed). |
|
|
9. At the moment (based on push mode) scalability issues lies at the Service provider, but if in pull model, services would have serious scalability issues. |
|
|
10. Security and SSO will be greatly improved if shibboleth works with OS and not browsers. |
|