Child pages
  • Federated Identity Management Part 2
Skip to end of metadata
Go to start of metadata

Download the presentation slides (PDF)

Federated Identity Management Part 2

Here are the supporting materials for a training session entitled Frontiers of Federated Identity Management given at the M3AAWG 32nd General Meeting in Boston in October 2014. The training exercises referenced in the presentation slides are organized as follows:

In the training exercises below, absolute paths are intentionally not used since these will vary from platform to platform.

Getting Started

Set the following two directories before attempting any of the exercises below:

# Directory for metadata:
$ MD_DIR=/tmp

# Directory for scripts:
$ SCRIPT_BIN=/tmp

Download the following files and scripts to optimize your experience the day of the course:

# Download the following metadata aggregates:

# The main production metadata aggregate at md.incommon.org:
$ MD_LOCATION=http://md.incommon.org/InCommon/InCommon-metadata.xml
$ MD_PATH=$MD_DIR/${MD_LOCATION##*/}
$ curl --silent --dump-header /dev/tty $MD_LOCATION > $MD_PATH

# The InCommon export aggregate:
$ MD_LOCATION=http://md.incommon.org/InCommon/InCommon-metadata-export.xml
$ MD_PATH=$MD_DIR/${MD_LOCATION##*/}
$ curl --silent --dump-header /dev/tty $MD_LOCATION > $MD_PATH

# The UK federation metadata aggregate:
$ MD_LOCATION=http://metadata.ukfederation.org.uk/ukfederation-metadata.xml
$ MD_PATH=$MD_DIR/${MD_LOCATION##*/}
$ curl --silent --dump-header /dev/tty $MD_LOCATION > $MD_PATH

# The main production metadata aggregate at mds.edugain.org:
$ MD_LOCATION=http://mds.edugain.org/feed-sha256.xml
$ MD_PATH=$MD_DIR/eduGAIN-metadata.xml
$ curl --silent --dump-header /dev/tty $MD_LOCATION > $MD_PATH

# The collection of all IdP metadata at mdq-beta.incommon.org:
$ MD_LOCATION=http://mdq-beta.incommon.org/global/entities/collection:idps
$ MD_PATH=$MD_DIR/global-idp-metadata.xml
$ curl --silent --dump-header /dev/tty $MD_LOCATION > $MD_PATH

# Download the following shell scripts:

# Download md_inspect.sh: 
$ SCRIPT_LOCATION=https://gist.github.com/trscavo/056a519964f136ce77df/download
$ curl --silent $SCRIPT_LOCATION | tar -xvz -C $SCRIPT_BIN --strip-components 1

# Download md_query.sh: 
$ SCRIPT_LOCATION=https://gist.github.com/trscavo/ab2edd1b6bfdb3a41076/download
$ curl --silent $SCRIPT_LOCATION | tar -xvz -C $SCRIPT_BIN --strip-components 1

# Download filter_mdattrs.sh: 
$ SCRIPT_LOCATION=https://gist.github.com/trscavo/3555b3e23ef2ee3cc4ab/download
$ curl --silent $SCRIPT_LOCATION | tar -xvz -C $SCRIPT_BIN --strip-components 1

Multilateral Federation: A Review

Task: Analyze various production metadata aggregates.

# The main production metadata aggregate at md.incommon.org:
$ MD_LOCATION=http://md.incommon.org/InCommon/InCommon-metadata.xml
$ MD_PATH=$MD_DIR/${MD_LOCATION##*/}
$ curl --silent --dump-header /dev/tty $MD_LOCATION > $MD_PATH
HTTP/1.1 200 OK
Date: Mon, 13 Oct 2014 22:53:38 GMT
Server: Apache
Last-Modified: Mon, 13 Oct 2014 19:06:23 GMT
ETag: "110328-a9f98b-50552983ac9c0"
Accept-Ranges: bytes
Content-Length: 11139467
Connection: close
Content-Type: application/samlmetadata+xml

# Download md_inspect.sh: 
$ SCRIPT_LOCATION=https://gist.github.com/trscavo/056a519964f136ce77df/download
$ curl --silent $SCRIPT_LOCATION | tar -xvz -C $SCRIPT_BIN --strip-components 1
$ chmod 755 $SCRIPT_BIN/md_inspect.sh

# Inspect the metadata aggregate:
$ $SCRIPT_BIN/md_inspect.sh $MD_PATH 
File name: /tmp/InCommon-metadata.xml
File size: 11139467 bytes
The metadata file is signed
The expiration date (validUntil) is: 2014-10-27T10:00:00Z
There is NO cacheDuration XML attribute
Number of entities: 2308
Number of organizations: 491
There are NO registration authorities
Number of IdPs: 374
Number of IdPs that support SAML2: 365
Number of IdPs with an errorURL: 126
Number of SPs: 1934
Number of SPs that support SAML2: 1886

# EXERCISE: For how many days is the above metadata valid?

# EXERCISE: Analyze the InCommon export aggregate:
$ MD_LOCATION=http://md.incommon.org/InCommon/InCommon-metadata-export.xml

# EXERCISE: Analyze the UK federation metadata aggregate:
$ MD_LOCATION=http://metadata.ukfederation.org.uk/ukfederation-metadata.xml

Interfederation

Task: Analyze eduGAIN metadata.

# The main production metadata aggregate at mds.edugain.org:
$ MD_LOCATION=http://mds.edugain.org/feed-sha256.xml
$ MD_PATH=$MD_DIR/eduGAIN-metadata.xml
$ curl --silent --dump-header /dev/tty $MD_LOCATION > $MD_PATH
HTTP/1.1 200 OK
Date: Mon, 13 Oct 2014 23:04:55 GMT
Server: Apache/2.2.13 (Linux/SUSE)
Last-Modified: Mon, 13 Oct 2014 23:02:01 GMT
ETag: "bc85-520d11-50555e2eccb57"
Accept-Ranges: bytes
Content-Length: 5377297
Content-Type: text/xml

# Inspect the metadata aggregate:
$ $SCRIPT_BIN/md_inspect.sh $MD_PATH 
File name: /tmp/eduGAIN-metadata.xml
File size: 5377297 bytes
The metadata file is signed
The expiration date (validUntil) is: 2014-10-17T23:00:05Z
The time-to-live (cacheDuration) is: PT6H
Number of entities: 695
Number of organizations: 582
Number of registration authorities: 28
Number of IdPs: 542
Number of IdPs that support SAML2: 542
Number of IdPs with an errorURL: 12
Number of SPs: 154
Number of SPs that support SAML2: 153

# EXERCISE: For how many days is the above metadata valid?

# EXERCISE: Why don't the number of IdPs and SPs add up?
# (Hint: Inspect entity "https://cern.ch/login")

# EXERCISE: Find the one SP that does not support SAML2.

# Which federations are exporting metadata to eduGAIN?
$ cat $MD_PATH \
    | grep -F ' registrationAuthority=' \
    | sed -e 's/^.* registrationAuthority="\([^"]*\)".*$/\1/' \
    | sort | uniq -c \
    | sort --reverse \
    | head -n 6
 237 https://federation.renater.fr/
  94 http://cafe.rnp.br
  47 http://www.eduid.cz/
  46 http://ukfederation.org.uk
  44 https://www.aai.dfn.de
  44 http://www.idem.garr.it/

Dynamic Metadata Query

Task: Analyze the metadata used in the Per-Entity Metadata Pilot Study.

# The collection of all IdP metadata at mdq-beta.incommon.org:
$ MD_LOCATION=http://mdq-beta.incommon.org/global/entities/collection:idps
$ MD_PATH=$MD_DIR/global-idp-metadata.xml
$ curl --silent --dump-header /dev/tty $MD_LOCATION > $MD_PATH
HTTP/1.1 200 OK
X-Application-Context: application:sign:80
Content-Language: en-US
Content-Type: application/samlmetadata+xml
Content-Length: 6230479
ETag: "67d67c919f9a14b4786dd844dcb0b9e6f2b6f738"
Server: Jetty(8.1.15.v20140411)

# Inspect the metadata aggregate:
$ $SCRIPT_BIN/md_inspect.sh $MD_PATH
File name: /tmp/global-idp-metadata.xml
File size: 6230479 bytes
The metadata file is signed
The expiration date (validUntil) is: 2014-10-27T23:12:54.984Z
The time-to-live (cacheDuration) is: P0Y0M0DT6H0M0.000S
Number of entities: 905
Number of organizations: 875
Number of registration authorities: 28
Number of IdPs: 905
Number of IdPs that support SAML2: 896
Number of IdPs with an errorURL: 138
Number of SPs: 1
Number of SPs that support SAML2: 1

# Download md_query.sh: 
$ SCRIPT_LOCATION=https://gist.github.com/trscavo/ab2edd1b6bfdb3a41076/download
$ curl --silent $SCRIPT_LOCATION | tar -xvz -C $SCRIPT_BIN --strip-components 1
$ chmod 755 $SCRIPT_BIN/md_query.sh
$ export MDQ_BASE_URL=http://mdq-beta.incommon.org/global

# Compute the request URL for a particular signed entity descriptor:
$ $SCRIPT_BIN/md_query.sh -t urn:mace:incommon:internet2.edu
http://mdq-beta.incommon.org/global/entities/urn%3Amace%3Aincommon%3Ainternet2.edu

# Do it again, for a different entity:
$ $SCRIPT_BIN/md_query.sh -t https://shibboleth.salisbury.edu/idp/shibboleth
http://mdq-beta.incommon.org/global/entities/https%3A%2F%2Fshibboleth.salisbury.edu%2Fidp%2Fshibboleth

# EXERCISE: Drop the -t option on the above commands to actually fetch the metadata

# EXERCISE: Fetch the signed entity descriptors of other entities (see below)

# List the entityIDs of all IdPs in metadata:
$ cat $MD_PATH \
    | grep -F ' entityID=' \
    | sed 's/^.* entityID="\([^"]*\).*$/\1/' \
    | head -n 5
https://aai.unifr.ch/idp/shibboleth
https://aai-idp.unibe.ch/idp/shibboleth
https://aai-idp.uzh.ch/idp/shibboleth
https://aai-login.fh-htwchur.ch/idp/shibboleth
https://aai-logon.bfh.ch/idp/shibboleth

# EXERCISE: Describe the entity descriptor for entity "https://cern.ch/login"

Entity Categories

Task: Enumerate the Entity Attributes in various metadata aggregates.

# Download filter_mdattrs.sh: 
$ SCRIPT_LOCATION=https://gist.github.com/trscavo/3555b3e23ef2ee3cc4ab/download
$ curl --silent $SCRIPT_LOCATION | tar -xvz -C $SCRIPT_BIN --strip-components 1
$ chmod 755 $SCRIPT_BIN/filter_mdattrs.sh

# List the entity attributes in the InCommon export aggregate:
$ MD_LOCATION=http://md.incommon.org/InCommon/InCommon-metadata-export.xml
$ MD_PATH=$MD_DIR/${MD_LOCATION##*/}
$ curl --silent --dump-header /dev/tty $MD_LOCATION > $MD_PATH
HTTP/1.1 200 OK
Date: Tue, 14 Oct 2014 18:04:19 GMT
Server: Apache
Last-Modified: Mon, 13 Oct 2014 19:06:23 GMT
ETag: "11033b-5920-50552983ac9c0"
Accept-Ranges: bytes
Content-Length: 22816
Connection: close
Content-Type: application/samlmetadata+xml

$ $SCRIPT_BIN/filter_mdattrs.sh $MD_PATH 
https://incommon.org https://gw-astronomy.org/lists/shibboleth-sp SP http://macedir.org/entity-category http://refeds.org/category/research-and-scholarship
https://incommon.org https://gw-astronomy.org/shibboleth-sp SP http://macedir.org/entity-category http://refeds.org/category/research-and-scholarship
https://incommon.org https://gw-astronomy.org/wiki/shibboleth-sp SP http://macedir.org/entity-category http://refeds.org/category/research-and-scholarship

# Enumerate the entity attributes in the collection of all IdP metadata at mdq-beta.incommon.org:
$ MD_LOCATION=http://mdq-beta.incommon.org/global/entities/collection:idps
$ MD_PATH=$MD_DIR/global-idp-metadata.xml
$ curl --silent --dump-header /dev/tty $MD_LOCATION > $MD_PATH
HTTP/1.1 200 OK
X-Application-Context: application:sign:80
Content-Language: en-US
Content-Type: application/samlmetadata+xml
Content-Length: 6236321
ETag: "a0c54fbbcc2259e5b9da51adcebc8db2fcf03031"
Server: Jetty(8.1.15.v20140411)

$ $SCRIPT_BIN/filter_mdattrs.sh $MD_PATH \
    | cut -f4,5 -d" " \
    | sort | uniq -c \
    | sort --reverse
  99 http://macedir.org/entity-category-support http://id.incommon.org/category/research-and-scholarship
  21 http://macedir.org/entity-category-support http://refeds.org/category/research-and-scholarship
   7 http://macedir.org/entity-category http://refeds.org/category/hide-from-discovery
   3 urn:oasis:names:tc:SAML:attribute:assurance-certification http://id.incommon.org/assurance/bronze
   1 urn:oasis:names:tc:SAML:attribute:assurance-certification http://id.incommon.org/assurance/silver

# Enumerate the entity attributes in the eduGAIN aggregate:
$ MD_LOCATION=http://mds.edugain.org/feed-sha256.xml
$ MD_PATH=$MD_DIR/eduGAIN-metadata.xml
$ curl --silent --dump-header /dev/tty $MD_LOCATION > $MD_PATH
HTTP/1.1 200 OK
Date: Tue, 14 Oct 2014 18:10:40 GMT
Server: Apache/2.2.13 (Linux/SUSE)
Last-Modified: Tue, 14 Oct 2014 18:02:01 GMT
ETag: "bce3-523c89-50565cfe2449b"
Accept-Ranges: bytes
Content-Length: 5389449
Content-Type: text/xml

$ $SCRIPT_BIN/filter_mdattrs.sh $MD_PATH \
    | cut -f4,5 -d" " \
    | sort | uniq -c \
    | sort --reverse \
    | head -n 5
  37 http://macedir.org/entity-category http://www.geant.net/uri/dataprotection-code-of-conduct/v1
  21 http://macedir.org/entity-category-support http://refeds.org/category/research-and-scholarship
  18 http://macedir.org/entity-category http://eduid.cz/uri/idp-group/avcr
  11 http://macedir.org/entity-category http://eduid.cz/uri/idp-group/university
   8 http://macedir.org/entity-category http://refeds.org/category/research-and-scholarship

# Enumerate the entity attributes in the main InCommon production aggregate (this will take awhile):
$ MD_LOCATION=http://md.incommon.org/InCommon/InCommon-metadata.xml
$ MD_PATH=$MD_DIR/${MD_LOCATION##*/}
$ curl --silent --dump-header /dev/tty $MD_LOCATION > $MD_PATH
HTTP/1.1 200 OK
Date: Tue, 14 Oct 2014 18:16:03 GMT
Server: Apache
Last-Modified: Mon, 13 Oct 2014 19:06:23 GMT
ETag: "110328-a9f98b-50552983ac9c0"
Accept-Ranges: bytes
Content-Length: 11139467
Connection: close
Content-Type: application/samlmetadata+xml

$ $SCRIPT_BIN/filter_mdattrs.sh $MD_PATH \
    | cut -f4,5 -d" " \
    | sort | uniq -c \
    | sort --reverse
  99 http://macedir.org/entity-category-support http://id.incommon.org/category/research-and-scholarship
  25 http://macedir.org/entity-category http://id.incommon.org/category/research-and-scholarship
   7 http://macedir.org/entity-category http://refeds.org/category/hide-from-discovery
   3 urn:oasis:names:tc:SAML:attribute:assurance-certification http://id.incommon.org/assurance/bronze
   1 urn:oasis:names:tc:SAML:attribute:assurance-certification http://id.incommon.org/assurance/silver

Bring Your Own Identity

Task: Trace a typical protocol flow associated with a Google Gateway.

# The DiscoveryResponse endpoint location at the Spaces wiki:
$ REQUEST_URL=https://spaces.at.internet2.edu/Shibboleth.sso/Login?entityID=https%3A%2F%2Fgoogle.incommon.org%2Fgateway

# Get a SAML AuthnRequest (targeted at the Google Gateway) from the Spaces wiki:
$ curl --silent --dump-header /dev/tty $REQUEST_URL > /tmp/response.html
HTTP/1.1 302 Found
Date: Mon, 13 Oct 2014 08:01:35 GMT
Server: Apache/2.2.15 (Scientific Linux)
Set-Cookie: _shibstate_1413187295_03a3=https%3A%2F%2Fspaces.at.internet2.edu%2F; path=/; HttpOnly
Expires: Wed, 01 Jan 1997 12:00:00 GMT
Cache-Control: private,no-store,no-cache,max-age=0
Location: https://google.incommon.org/idp/SSOService/HTTP-Redirect?SAMLRequest=fZLLboMwEEV%2FBXkfDIREwQpINFk0UtqgQLvopgIzgCWwqcf08fclIW3TTda%2BPnfmaNaYd23P4sE08ghvA6CxPrtWIjs%2FhGTQkqkcBTKZd4DMcJbGD3vm2Q7rtTKKq5ZYMSJoI5TcKIlDBzoF%2FS44PB33IWmM6ZFRin3OAW0hDWgJxrOhHGjaiKJQLZjGRlT0xPZockgzYm3HYYTMT9g%2FSK1U3cII4arrlLSVrqkoe5qmh0snvc%2ByZHaEUmjghli7bUhei6Ja%2BL7nBFWwKivw%2FKDiZbColmUxX7pOMMYQB9hJNLk0IfEc15%2B5zsydZ86KOS6bL16IlVwWvhOyFLK%2BbaeYQsjO80wrPYPG8zpjgETrk2N2LtZX1m9j8x%2FVJLopFn%2FFrulVz1Tas8cRvNsmqhX8y4rbVn1sNOQGQuISGk1f%2Ft9F9A0%3D&RelayState=cookie%3A1413187295_03a3
Content-Length: 854
Connection: close
Content-Type: text/html; charset=iso-8859-1

# Exercise
# Use: http://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php
# Decode the SAMLRequest parameter value (whitespace added below for readability):
# <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
#   AssertionConsumerServiceURL="https://spaces.at.internet2.edu/Shibboleth.sso/SAML2/POST" 
#   Destination="https://google.incommon.org/idp/SSOService/HTTP-Redirect" 
#   ID="_bbf544209f98dfe249fcd95f6db36109" IssueInstant="2014-10-13T08:01:35Z" 
#   ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
#   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://spaces.at.internet2.edu/shibboleth</saml:Issuer>
#   <samlp:NameIDPolicy AllowCreate="1"/>
# </samlp:AuthnRequest>

# By following redirects, we eventually get the Google login page:
$ curl --verbose --location --max-redirs 3 $REQUEST_URL

Multifactor Authentication as-a-Service

TBD

  • No labels