Date post: | 21-Dec-2015 |
Category: |
Documents |
Upload: | jeffrey-ray |
View: | 220 times |
Download: | 3 times |
Hosting a SAML-protected Web Site in Microsoft
Azure
Eric Kool-BrownSoftware Engineer
University of Washington IT
SAML in Azure - Windows in Higher Ed
2
A SAML Protected Web Site
SAML in Azure - Windows in Higher Ed
3
SAML: what is it?
Security Assertion Markup Language and much more•A token format (using this language)•A set of authentication protocols•A set of bindings for the transfer of the protocol elements•A set of OASIS specifications ratified in 2005
SAML in Azure - Windows in Higher Ed
4
Some Terminology• SAMLP – used to differentiate the
protocol from the token format• Service Provider – a protected web
site, a.k.a. Relying Party• IdP – identity provider, a.k.a. security
token service• Shibboleth – the community-developed
reference implementation of SAML
SAML in Azure - Windows in Higher Ed
5
SAML in Azure - Windows in Higher Ed
6
Campus Datacenter
User
CredentialDatastoreDatabases
Web App
Shib IdP
Hosting a Shibboleth-Protected Web Site
Locally
Public Internet
SAML in Azure - Windows in Higher Ed
7
Azure
Campus Datacenter
User
CredentialDatastoreDatabases
Web App
Shib IdP
Hosting a Shibboleth-Protected Web Site
In Azure
Public Internet
SAML in Azure - Windows in Higher Ed
8
Campus Datacenter
Azure
Public Internet
Campus ServersAzure VPN Gateway Hardware VPNGateway
Site-to-Site ProtectedData Connection
Route toPublic Internet
Azure Networking
Azure VMs
AzureVirtual
Network
Azure DNS/Load
Balancer
CampusSubnetList
SAML in Azure - Windows in Higher Ed
9
Lots
of O
ption
s!
Options, We’ve Got Options• Upload your Shibboleth SP VHD as an
Azure VM– Could be either Linux or Windows
• Host WIF web app in an Azure web site and use ADFS as a protocol translator
• Use WIF and the SAMLP CTP extension• Host Shibboleth SP as an Azure cloud
service
SAML in Azure - Windows in Higher Ed
10
Azure Virtual Machine• Use an MS-supplied OS image or upload
your own (Linux or Windows)– If the former, upload web app remotely– If the latter, can configure locally, then
upload the entire VHD
• VM bits stored in triple redundant Azure blob storage
• Scaling up requires manual configuration
SAML in Azure - Windows in Higher Ed
11
Azure VM Details
• Windows OS licensing: monthly cost of using MS-supplied Windows image includes OS licensing fee
• DNS needs to be configured in Azure; you supply a validated DNS name and Azure supplies the VIP for that name
• Adding instances for scaling requires manual configuration
• Ditto for monitoring
SAML in Azure - Windows in Higher Ed
12
Azure Web Sites• Write web app in Visual Studio and
deploy to Azure from VS• Use WIF to “claims enable” your web
app via its support for WS-Federation– WIF does not support SAMLP
• Use AD FS to translate from WS-Federation to SAMLP
• Azure handles scaling to add instances and configures load balancing
SAML in Azure - Windows in Higher Ed
13
Add a Cloud Web App Project
SAML in Azure - Windows in Higher Ed
14
Configure the Project
SAML in Azure - Windows in Higher Ed
15
Configure WS-Fed
SAML in Azure - Windows in Higher Ed
16
Sign-in to Azure
SAML in Azure - Windows in Higher Ed
17
Publish to Azure
SAML in Azure - Windows in Higher Ed
18
AD FS as a Protocol Translator
SAML in Azure - Windows in Higher Ed
19
Azure Web Sites Redux• MS released a CTP extension to WIF
4.0 that supported SAMLP• May be NLA and is certainly not
supported by MS• One UW web application in
production using this CTP• WIF 4.5 re-architected, the CTP won’t
work with it (and claims-based web apps need to be re-written)
SAML in Azure - Windows in Higher Ed
20
Azure Cloud Service
• Web roles and worker roles• Web role much more configurable
than an Azure web site• Shibboleth SP can be automatically
installed using a startup script• See my blog posts starting with
http://blogs.uw.edu/kool/2013/06/20/hosting-a-shibboleth-sp-web-site-in-azure-part-1/
SAML in Azure - Windows in Higher Ed
21
Create a Cloud Service Project
SAML in Azure - Windows in Higher Ed
22
Add Roles to the Service
SAML in Azure - Windows in Higher Ed
23
Choose the Type of Web App
SAML in Azure - Windows in Higher Ed
24
Config and Definition Files
SAML in Azure - Windows in Higher Ed
25
Shibboleth SP Install Task
SAML in Azure - Windows in Higher Ed
26
Shib SP Files in Project
SAML in Azure - Windows in Higher Ed
27
SAML in Azure - Windows in Higher Ed
28
echo calling msiexec to run the Shib MSI >> %temp%\install-shib.txt 2>&1msiexec.exe /i Shibboleth-SP\shibboleth-sp-2.5.1-win64.msi /quiet /L*v %temp%\shib-msi.txt /norestartecho calling xcopy to copy the config files >> %temp%\install-shib.txt 2>&1xcopy /y /q Shibboleth-SP\*.xml c:\opt\shibboleth-sp\etc\shibbolethxcopy /y /q Shibboleth-SP\*.pem c:\opt\shibboleth-sp\etc\shibbolethxcopy /y /q "%systemdrive%\Program Files\Shibboleth\SP\lib\*.dll" c:\opt\shibboleth-sp\lib64\shibbolethecho calling appcmd to add the ISAPI handler >> %temp%\install-shib.txt 2>&1%windir%\System32\inetsrv\appcmd.exe set config /section:handlers
/+[name='ShibbolethSP',path='*.sso',verb='*',modules='IsapiModule',scriptProcessor='C:\opt\shibboleth-sp\
lib64\shibboleth\isapi_shib.dll',requireAccess='Script',responseBufferLimit='0']echo calling appcmd to add the ISAPI filter >> %temp%\install-shib.txt 2>&1%windir%\System32\inetsrv\appcmd set config /section:isapiFilters /+[name='Shibboleth',path='C:\opt\shibboleth-sp\
lib64\shibboleth\isapi_shib.dll',preCondition='bitness64']echo calling appcmd to remove the ISAPI filter restriction >> %temp%\install-shib.txt 2>&1%windir%\System32\inetsrv\appcmd set config /section:isapiCgiRestriction /+[path='C:\opt\shibboleth-sp\
lib64\shibboleth\isapi_shib.dll',description='ShibbolethWebServiceExtension',allowed='True']echo calling icacls to grant User execute to the Shib folders so the ISAPI filter will load >> %temp%\install-shib.txt 2>&1icacls c:\opt /grant "Users":(OI)(CI)(RX)echo calling icacls to grant NetworkService write to the Shib logging folder so the ISAPI filter can log >> %temp%\install-shib.txt 2>&1icacls c:\opt\shibboleth-sp\var\log\shibboleth /grant "NetworkService":(OI)(CI)(RX,M)echo restarting the Shib service to pick up the config changes >> %temp%\install-shib.txt 2>&1net stop shibd_Defaultnet start shibd_Default
Publishing
SAML in Azure - Windows in Higher Ed
29
• Similar to publishing an Azure web app from Visual Studio
• Takes longer to start due to time taken to install the Shib SP
• The install script is re-run each time an instance is spun up
Questions?
SAML in Azure - Windows in Higher Ed
30
Links
SAML in Azure - Windows in Higher Ed
31
• Series of 5 blog posts on hosting a Shib SP in Azure: http://blogs.uw.edu/kool/2013/06/20/hosting-a-shibboleth-sp-web-site-in-azure-part-1/
• Test web site: https://uwshibsp.cloudapp.net/Note that it is using a self-signed cert, so be prepared for browser warnings
• Azure Portal: https://manage.windowsazure.com/• Azure Site-to-Site
VPN: http://msdn.microsoft.com/en-us/library/azure/dn133798.aspx• Azure VPN Walkthrough: http://jeffgraves.me/2012/10/26/windows-azure-
vpn-walkthrough/ (from 2012)• Azure Load
Balancer: http://msdn.microsoft.com/en-us/library/azure/dn655058.aspx (VMs can have multiple "endpoints")
• Example of confusion between SAML token format and SAML protocol: http://stackoverflow.com/questions/11342186/windows-identity-foundation-does-not-officially-support-saml-2-0-use-wif-ctp-or
The University of Washington is one of the world’s preeminent universities and a recognized leader in educating the next generation of leaders, thinkers and doers. A multi-campus
institution comprising UW Seattle, UW Tacoma and UW Bothell, as well as a world-class academic medical center, the UW is a focal
point of the Puget Sound region’s intellectual and cultural life and a key contributor to Washington’s increasingly global reputation as
a center of innovation and change. A progressive and quintessentially Northwest institution with a uniquely innovative
and creative culture, the UW is driven to lead by successfully integrating the full assets of the university and its rich environs to address key issues of pressing human concern that make a lasting
difference in the Northwest and around the world.
SAML in Azure - Windows in Higher Ed
32