1 / 32

Hosting a SAML-protected Web Site in Microsoft Azure

Hosting a SAML-protected Web Site in Microsoft Azure. Eric Kool-Brown Software Engineer University of Washington IT. A SAML Protected Web Site. SAML: what is it?. Security Assertion Markup Language and much more A token format (using this language) A set of authentication protocols

montana-mcknight
Télécharger la présentation

Hosting a SAML-protected Web Site in Microsoft Azure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hosting a SAML-protected Web Site in Microsoft Azure Eric Kool-Brown Software Engineer University of Washington IT

  2. A SAML Protected Web Site SAML in Azure - Windows in Higher Ed

  3. SAML in Azure - Windows in Higher Ed

  4. SAML: what is it? Security Assertion Markup Language and much more • A token format (using this language) • A set of authentication protocols • A set of bindings for the transfer of the protocol elements • A set of OASIS specifications ratified in 2005 SAML in Azure - Windows in Higher Ed

  5. Some Terminology • SAMLP – used to differentiate the protocol from the token format • Service Provider – a protected web site, a.k.a. Relying Party • IdP – identity provider, a.k.a. security token service • Shibboleth – the community-developed reference implementation of SAML SAML in Azure - Windows in Higher Ed

  6. SAML in Azure - Windows in Higher Ed

  7. SAML in Azure - Windows in Higher Ed

  8. SAML in Azure - Windows in Higher Ed

  9. Lots of Options! SAML in Azure - Windows in Higher Ed

  10. Options, We’ve Got Options • Upload your Shibboleth SP VHD as an Azure VM • Could be either Linux or Windows • Host WIF web app in an Azure web site and use ADFS as a protocol translator • Use WIF and the SAMLP CTP extension • Host Shibboleth SP as an Azure cloud service SAML in Azure - Windows in Higher Ed

  11. Azure Virtual Machine • Use an MS-supplied OS image or upload your own (Linux or Windows) • If the former, upload web app remotely • If the latter, can configure locally, then upload the entire VHD • VM bits stored in triple redundant Azure blob storage • Scaling up requires manual configuration SAML in Azure - Windows in Higher Ed

  12. Azure VM Details • Windows OS licensing: monthly cost of using MS-supplied Windows image includes OS licensing fee • DNS needs to be configured in Azure; you supply a validated DNS name and Azure supplies the VIP for that name • Adding instances for scaling requires manual configuration • Ditto for monitoring SAML in Azure - Windows in Higher Ed

  13. Azure Web Sites • Write web app in Visual Studio and deploy to Azure from VS • Use WIF to “claims enable” your web app via its support for WS-Federation • WIF does not support SAMLP • Use AD FS to translate from WS-Federation to SAMLP • Azure handles scaling to add instances and configures load balancing SAML in Azure - Windows in Higher Ed

  14. Add a Cloud Web App Project SAML in Azure - Windows in Higher Ed

  15. Configure the Project SAML in Azure - Windows in Higher Ed

  16. Configure WS-Fed SAML in Azure - Windows in Higher Ed

  17. Sign-in to Azure SAML in Azure - Windows in Higher Ed

  18. Publish to Azure SAML in Azure - Windows in Higher Ed

  19. AD FS as a Protocol Translator SAML in Azure - Windows in Higher Ed

  20. Azure Web Sites Redux • MS released a CTP extension to WIF 4.0 that supported SAMLP • May be NLA and is certainly not supported by MS • One UW web application in production using this CTP • WIF 4.5 re-architected, the CTP won’t work with it (and claims-based web apps need to be re-written) SAML in Azure - Windows in Higher Ed

  21. Azure Cloud Service • Web roles and worker roles • Web role much more configurable than an Azure web site • Shibboleth SP can be automatically installed using a startup script • See my blog posts starting with http://blogs.uw.edu/kool/2013/06/20/hosting-a-shibboleth-sp-web-site-in-azure-part-1/ SAML in Azure - Windows in Higher Ed

  22. Create a Cloud Service Project SAML in Azure - Windows in Higher Ed

  23. Add Roles to the Service SAML in Azure - Windows in Higher Ed

  24. Choose the Type of Web App SAML in Azure - Windows in Higher Ed

  25. Config and Definition Files SAML in Azure - Windows in Higher Ed

  26. Shibboleth SP Install Task SAML in Azure - Windows in Higher Ed

  27. Shib SP Files in Project SAML in Azure - Windows in Higher Ed

  28. echo calling msiexec to run the Shib MSI >> %temp%\install-shib.txt 2>&1 msiexec.exe /i Shibboleth-SP\shibboleth-sp-2.5.1-win64.msi /quiet /L*v %temp%\shib-msi.txt /norestart echo calling xcopy to copy the config files >> %temp%\install-shib.txt 2>&1 xcopy /y /q Shibboleth-SP\*.xml c:\opt\shibboleth-sp\etc\shibboleth xcopy /y /q Shibboleth-SP\*.pem c:\opt\shibboleth-sp\etc\shibboleth xcopy /y /q "%systemdrive%\Program Files\Shibboleth\SP\lib\*.dll" c:\opt\shibboleth-sp\lib64\shibboleth echo calling appcmd to add the ISAPI handler >> %temp%\install-shib.txt 2>&1 %windir%\System32\inetsrv\appcmd.exe set config /section:handlers /+[name='ShibbolethSP',path='*.sso',verb='*',modules='IsapiModule',scriptProcessor='C:\opt\shibboleth-sp\ lib64\shibboleth\isapi_shib.dll',requireAccess='Script',responseBufferLimit='0'] echo calling appcmd to add the ISAPI filter >> %temp%\install-shib.txt 2>&1 %windir%\System32\inetsrv\appcmd set config /section:isapiFilters /+[name='Shibboleth',path='C:\opt\shibboleth-sp\ lib64\shibboleth\isapi_shib.dll',preCondition='bitness64'] echo calling appcmd to remove the ISAPI filter restriction >> %temp%\install-shib.txt 2>&1 %windir%\System32\inetsrv\appcmd set config /section:isapiCgiRestriction /+[path='C:\opt\shibboleth-sp\ lib64\shibboleth\isapi_shib.dll',description='ShibbolethWebServiceExtension',allowed='True'] echo calling icacls to grant User execute to the Shib folders so the ISAPI filter will load >> %temp%\install-shib.txt 2>&1 icacls c:\opt /grant "Users":(OI)(CI)(RX) echo calling icacls to grant NetworkService write to the Shib logging folder so the ISAPI filter can log >> %temp%\install-shib.txt 2>&1 icacls c:\opt\shibboleth-sp\var\log\shibboleth /grant "NetworkService":(OI)(CI)(RX,M) echo restarting the Shib service to pick up the config changes >> %temp%\install-shib.txt 2>&1 net stop shibd_Default net start shibd_Default SAML in Azure - Windows in Higher Ed

  29. Publishing • Similar to publishing an Azure web app from Visual Studio • Takes longer to start due to time taken to install the Shib SP • The install script is re-run each time an instance is spun up SAML in Azure - Windows in Higher Ed

  30. Questions? SAML in Azure - Windows in Higher Ed

  31. Links • Series of 5 blog posts on hosting a Shib SP in Azure: http://blogs.uw.edu/kool/2013/06/20/hosting-a-shibboleth-sp-web-site-in-azure-part-1/ • Test web site: https://uwshibsp.cloudapp.net/Note that it is using a self-signed cert, so be prepared for browser warnings • Azure Portal: https://manage.windowsazure.com/ • Azure Site-to-Site VPN: http://msdn.microsoft.com/en-us/library/azure/dn133798.aspx • Azure VPN Walkthrough: http://jeffgraves.me/2012/10/26/windows-azure-vpn-walkthrough/ (from 2012) • Azure Load Balancer: http://msdn.microsoft.com/en-us/library/azure/dn655058.aspx (VMs can have multiple "endpoints") • Example of confusion between SAML token format and SAML protocol: http://stackoverflow.com/questions/11342186/windows-identity-foundation-does-not-officially-support-saml-2-0-use-wif-ctp-or SAML in Azure - Windows in Higher Ed

  32. The University of Washington is one of the world’s preeminent universities and a recognized leader in educating the next generation of leaders, thinkers and doers. A multi-campus institution comprising UW Seattle, UW Tacoma and UW Bothell, as well as a world-class academic medical center, the UW is a focal point of the Puget Sound region’s intellectual and cultural life and a key contributor to Washington’s increasingly global reputation as a center of innovation and change. A progressive and quintessentially Northwest institution with a uniquely innovative and creative culture, the UW is driven to lead by successfully integrating the full assets of the university and its rich environs to address key issues of pressing human concern that make a lasting difference in the Northwest and around the world. SAML in Azure - Windows in Higher Ed

More Related