Shibboleth on Rails

[Turadg Aleahmad]

I haven't seen a post here in a while so I think I'd share that Toyokazu recently made his Shibboleth support for Omniauth work as a drop-in connector for Omniauth 1.0:

  https://github.com/toyokazu/omniauth-shibboleth

I'm curious whether anyone else has tried it? It requires Apache and its Shibboleth module.

Also, is anyone interested in making it work with Rack without Apache? This project does that, but not with Omniauth:

  https://github.com/alexcrichton/rack-shibboleth

[Brian Hogan]

This is good timing. We have over 20 apps at our school that currently
use CAS via RubyCas-Client and are probably moving to Shibboleth. I've
looked at these projects but have no idea where to start, and was
wondering if others had some experience with them. We're really
looking for lightweight options, and the idea of not requiring Apache
would be a big plus.

[Michael McDermott]

This does look cool, but just to be clear, Shibboleth *only* works with Apache and IIS on the client (application ) end.  There are SAML implementations separate from the Shibboleth project, including a Ruby one, (I've not used it but we integrate with a vendor who does).  I haven't had the opportunity to delve into the ruby saml library, but the vendor we integrate with lack several features (including federation) that make Shibboleth attractive.  Again, I don't know if it is the libraries or their custom implementation.

We've used Apache+Passenger+Authlogic and it has been fine. 

[Toyokazu Akiyama]

Hi,

I am interested in integrating Apache base Shibboleth SP and Rack base
Shibboleth SP into omniauth-shibboleth. Currently, while I do not have
enough time to investigate rack-shibboleth, I would like to check
it...

I basically think that it is not recommended to use the other SP
implementations from the view point of the security or the functional
aspect as McDermott-san pointed out. However, there may also be a
request to use light weight applications without Apache frontend. It
may be a good start. In someday, someone may implement the full
functions of Shibboleth on Ruby :)

--
Toyokazu AKIYAMA

2011/12/16 Turadg Aleahmad <tur...@gmail.com>:

[Michael McDermott]

Akiyama-san (please forgive me if I used that inappropriately),
You expressed the concerns of the Shibbolth team very well.  There is a Ruby SAML client side implementation:
https://github.com/onelogin/ruby-saml

I have not had a chance to parse this library, but from discussions and talks with members of the Shibboleth development team, there are aspects of processing the SAML messages and aspects of making sure that the processing happens in a secure context that make full saml security implementations challenging.  Obviously there is nothing preventing a robust Ruby implementation of a SAML service provider, but like any security system, it requires constant vigilance and more than an understanding of just your code.  There are people working full time on making Shibboleth robust and secure (and it is open source), is the same effort going on for the Ruby SAML effort?  As a rubyist, I hope so.  But for the kids of apps we're building at Brown, Apache + mod passenger is more than robust enough to handle the load, and not that complicated to setup and maintain (there are rpms and debs for both Apache and Shib).  Passenger has been pretty easy to install.

Mike

[Toyokazu Akiyama]

McDermott-san,

> Akiyama-san (please forgive me if I used that inappropriately),

It's correct :)
-san is like a title Mr., Ms. but I think it is more friendly.
I do not know the english expression with the same meanings...;)

I agree with you that Apache + Passenger is very easy to setup,
and I also depend on them.

If there was a problems to use Apache + Passenger, it was the
authority to configure them. For example, while I have not tested yet,
Heroku may not provide frontend configuration.

http://www.heroku.com/

In the other case, CAS does not require frontend, so thus the
migration from CAS to Shibboleth may not be easy if the
frontend is managed by the other organization (hosting or
some other situation) or if the re-developing authentication
in their application is difficult.

Now Rack becomes a standard as ruby application container,
so thus it may be a good start for supporting Shibboleth
authentication for ruby users. It may accelerate ruby-saml
implementation :)

I would like to add support in omniauth-shibboleth when I
have a time...

--
Toyokazu AKIYAMA

2011/12/16 Michael McDermott <mi...@planetmcd.com>:

[Michael McDermott]

Akiyama-san,

On Sun, Dec 18, 2011 at 10:19 PM, Toyokazu Akiyama <aki...@cse.kyoto-su.ac.jp> wrote:

McDermott-san,

> Akiyama-san (please forgive me if I used that inappropriately),

It's correct :)
-san is like a title Mr., Ms. but I think it is more friendly.
I do not know the english expression with the same meanings...;)

I thought I had it correct, but wanted to be sure.  I'd had a room mate from Japan for the summer and she taught me a bit about Japanese culture, but I am quite rusty.
 

I agree with you that Apache + Passenger is very easy to setup,
and I also depend on them.

If there was a problems to use Apache + Passenger, it was the
authority to configure them. For example, while I have not tested yet,
Heroku may not provide frontend configuration.

I completely agree.  A Shibboleth setup is not lightweight and requires control or cooperation with system administrators.  I was positive you were aware, I was more writing for those who may be considering Shibboleth in their institution.   

http://www.heroku.com/

In the other case, CAS does not require frontend, so thus the
migration from CAS to Shibboleth may not be easy if the
frontend is managed by the other organization (hosting or
some other situation) or if the re-developing authentication
in their application is difficult.

I know the shibboleth team has debated a pure Java implementation, but for lack of resources and perceived lack of demand, they have not pursued that avenue.  CAS is often attractive because it plugs right into a Java application.
 

Now Rack becomes a standard as ruby application container,
so thus it may be a good start for supporting Shibboleth
authentication for ruby users. It may accelerate ruby-saml
implementation :)

I was wondering about this myself.

I would like to add support in omniauth-shibboleth when I
have a time...

That is always the trick!
 

[pho3nixf1re]

I'm curious, why would you move from CAS to Shibboleth? We run with RubyCAS for all of our applications here. We evaluated a Shib setup, but it seemed overly complex, both to implement and maintain. What advantages or security enhancements are available to Shib that aren't in a CAS setup?

[Michael McDermott]

Good questions.

I'm no CAS expert, but as I understand it, for an authentication, the flow, from the user perspective, is pretty similar.  User tries to get to resource, is redirected to the CAS AuthN server, redirected back and gets resource.  Shibboleth does this as well.  They both provide information about the user to the client app.

The differences as I understand them:
1) Shibboleth is based on a standard so implementations are not tied to CAS servers.  There are commercial alternatives to SAML, as well as other projects that implement SAML.  The Jasig project, which manages CAS is open source, but its inter-operation is not a standard.  Whether that is important to you, that is an open question.  So Goolge has implemented SAML integration, but not CAS.  Part of the standard is a mechanism for defining attributes that are released.  Tying in with federation below, this makes integration easier to scale.

2) Shibboleth embraces the notion of federation, I do not believe this is the case with CAS.  With Federation you can partner with a trusted federation (e.g. Campus or Higher Ed Consortium for your country).  And integration can very straightforward since you established a trust framework and agreed to the definition of attributes that are passed from the authentication server (the Identity Provider) to the Service Provider.  If an external third party is part of a federation that we are partnered with, integration is usually very easy.  I believe CAS is always a point to point integration, though I could be very wrong about that so don't take it as gospel.

If you're happy with CAS and don't anticipate integration with lots of external sites or a federation, then no need to shift.  As a point of sale with many vendors for higher ed, who often support neither, it is the federation and ease of integration which make vendors interested in SAML solutions.

Mike

[Matthew Turney]

That makes sense. Most of our use is completely in-house and fairly straight forward. We've not had to make any changes to apps either we build or implement. We do use Google Apps, so we have to have a SAML layer. For that, we use Simple SAML PHP, which can use CAS as an authenticator. I can see where the federation is important, but we don't need it at the moment. Thanks, for the info.
--
Matthew A. Turney
pho3ni...@gmail.com
251-605-0325

pho3nixf1re.net

[Brian Hogan]

On Tue, Dec 20, 2011 at 8:15 AM, pho3nixf1re <pho3ni...@gmail.com> wrote:

I'm curious, why would you move from CAS to Shibboleth? We run with RubyCAS for all of our applications here. We evaluated a Shib setup, but it seemed overly complex, both to implement and maintain. What advantages or security enhancements are available to Shib that aren't in a CAS setup?

We're moving because we're being forced to, not because we want to. :)

[Toyokazu Akiyama]

Hi all,

Sorry to be late reply...

I have released rack-saml middleware that is using ruby-saml as a SAML
assertion handler.

https://github.com/toyokazu/rack-saml

It can work with omniauth-shibboleth and can choose SAML assertion handler.
While it is just a prototype (without test codes ;), if you are
interested in it, please try. Feedbacks are welcome :)
And I hope someone implement ruby-opensaml by using swig :)
I currently think that the transport binding of SAML deeply depends on
the application container, so thus modularize the assertion handler
seems to be the best to deploy it to the multiple languages.

As McDermott-san said, I also think opensource project are always the
trick or magic ;)
It sometimes charm people to make a success of the project and
sometimes just dump it into trash. I am still not sure what is a good
approach to make it success, I just try my best ;)
# I am not sure but OAuth may be a candidate to replace SAML...

In a security area, it is said that there should be multiple
implementation of the security protocol, e.g. OpenSSL and GNUTLS to
reduce the impact of the security hole. I hope there will be another
implementation of SAML.

By the way, I wish you all and your family a Happy New Year!

--
Toyokazu AKIYAMA

[Toyokazu Akiyama]

Hi all,

I just updated rack-saml to support session management and Shibboleth discovery service.

But it still does not have spec files... ;)

https://github.com/toyokazu/rack-saml

Best Regards,

--

Toyokazu AKIYAMA

2011/12/30 Toyokazu Akiyama <aki...@cse.kyoto-su.ac.jp>

[Saimon Moore]

Hi all,

I've been tasked to investigate what is involved in integrating Shibboleth and InCommon SSO with our rails-based saas cloud product.

At the date of the last post in this thread it seemed like the only way to go is by setting up apache and mod-shib.

I'm wondering if anyone has any more up to date info on what the state of ruby/rails integration with Shibboleth (InCommon).

The reason we're considering this is a number of educational institutions have asked for this and we're evaluating the effort.

Regards,

Saimon

[Matthew Turney]

Unfortunately, this is still the case. We ended up setting up a separate server for the shibboleth/apache setup since all our ruby servers run off nginx.

--
Matthew Turney
pho3ni...@gmail.com
251-605-0325

pho3nixf1re.net

--
You received this message because you are subscribed to a topic in the Google Groups "EduRuby" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/eduruby/DuNurwsdqV0/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to eduruby+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Saimon Moore]

Sad to hear that :(

Matthew,

Can you provide a bit more detail about your current setup?

[Matthew Turney]

We setup an external server dedicated to the shibboleth SSO interface and a small Sinatra app. The Sinatra app handled the shibboleth process and an existing SSO method we already had in place. The user only sees the shibboleth process and the servers negotiated the other SSO method in the background.

--
Matthew Turney
pho3ni...@gmail.com
251-605-0325

pho3nixf1re.net

[Saimon Moore]

I see thanks...

Regards,

Saimon