ARCHER Security Provider

Introduction

Some research into using Shibboleth from the desktop, and retrieving certificates from web servers, was done as part of the ARCHER project. This research did not form part of the final deliverables but is made available here as a starting point for further research.

Documentation and Source Code

Information regarding various components of the Archer Cert Provider can be found in the links below:

• Shibboleth Desktop - documentation source
• Archer Cert Provider Client - documentation (source included in the link above)
• Archer Cert Provider Server - documentation source
• Archer Group Management - documentation source
• Shibboleth Cardspace - documentation source: Cardspace STS and Cardspace Relying Party

Demonstrations

SP Access

Purpose: Accessing an SP target using Desktop Shibboleth

1. Download the demo and extract it to some folder.
2. Go to a command line, cd to the demo folder and run runAccessSP(.bat or .sh).
3. Change the line java -cp %LB% au.edu.archer.desktopshibboleth.util.SPClientTest in the runAccessConfig script into
java -cp %LB% au.edu.archer.desktopshibboleth.util.SPClientTest YOUR_SP_TARGET to access any SP different to the default one (i.e. https://mersey.its.monash.edu.au/secure).

IDP Attributes Query

Query Shibboleth attributes from an IDP. Debug an IDP's Attribute Release settings.
Note: This is an intesting one. In most of the time, you can get all attributes regardless of the attribute policy settings from the IDP side

1. Download the demo and extract it to some folder as in the previous one.
2. Go to a command line, cd to the demo folder and run runGetAttributes(.bat or .sh).
3. Change the line java -cp %LB% au.edu.archer.desktopshibboleth.util.FederationTest into
java -cp %LB% au.edu.archer.desktopshibboleth.util.SPClientTest YOUR_CONFIG where YOUR_CONFIG is your properties file which sets the information of your IDP and SP that you want to test.

ARCHER Certificate Client

Purpose: Download a proxy certificate from the Archer Cert Provider.

1. Download the demo and extract it to some folder as in the previous one.
2. Go to a command line, cd to the demo folder and run runGetProxyCred(.bat or .sh).

ARCHER CA Client

Purpose:  Generate an encrypted private key and get a X509 certificate (not a proxy one) from Archer CA. These key and certificate can be used to generate proxy certificates for the client.

1. Download the demo and extract it to some folder as in the previous one.
2. Go to a command line, cd to the demo folder and run runGetCred(.bat or .sh).

ARCHER Certificate Provider - Web Interface

Purpose: Get a proxy certificate from the Archer Cert Provider using normal Web interface.

1. Go to http://mersey.its.monash.edu.au/ArcherCertProvider/Certs
2. If this server is not available, download the ArcherCertProvider web application.
3. Login your home IDP using a valid credential, a proxy certificate will be generated based on the supplied Shibboleth credential.

ARCHER Certificate Provider - Post back interface

Purpose: Test the postback interface for the ArcherCertProvider.

1. Go to http://mersey.its.monash.edu.au/ArcherCertProvider/jsp/
   ArcherCertProvider.jsp?callback=PostBackTest.jsp
2. If this server is not available, download the ArcherCertProvider web application.
3. Login your home IDP using a valid credential, a proxy credential will be posted to the PostBackTest.jsp page which prints out the credential.

Usage notes

Desktop Shibboleth

Desktop shibboleth is a component which allows a desktop application to use Shibboleth for single sign-on. 

To simulate a Shibboleth client, you can use the SPAccessClient class:

SPAccessConfig config = new SPAccessConfig("https://treach.infodiv.unimelb.edu.au/secure");

SPAccessClient app = new SPAccessClient(config);

app.accessSPService();

To get back a Shib token, you can use the IDPClient class:

        IdpAuthenConfig idpConfig = new IdpAuthenConfig();

    

          idpConfig.setIdpSSO("https://openidp2.federation.org.au/shibboleth-idp/SSO");

        idpConfig.setIdpAA("https://openidp2.federation.org.au:8443/shibboleth-idp/AA");

        idpConfig.setIdpID("urn:mace:federation.org.au:testfed:openidp2.federation.org.au");

    

        idpConfig.setSpID("urn:mace:federation.org.au:testfed:an1.its.monash.edu.au");

        idpConfig.setSpSHIRE("https://an1.its.monash.edu.au/Shibboleth.sso/SAML/POST");

        idpConfig.setSpTarget("https://an1.its.monash.edu.au/gridsphere");

        Config.getInstance().setIdpConfig(idpConfig);

    

        IdpClient app = new IdpClient(idpConfig);

        SAMLNameIdentifier id = app.authenWithIdp();

 Note that in the above example, you have to supply the details of the IDP that you wish to connect to and ALSO the details of a valid SP. You can find this metadata information of many IDP and SP published on http://www.federation.org.au

To simulate the behaviour of an SP when making attribute requests to an IDP:

        String idpAA = "https://openidp2.federation.org.au:8443/shibboleth-idp/AA";



        SAMLNameIdentifier nameId = new SAMLNameIdentifier();

        nameId.setFormat(id.getFormat());

        nameId.setName(id.getName());

        nameId.setNameQualifier(id.getNameQualifier());

        SAMLSubject subject = new SAMLSubject(nameId, null, null, null);



        String resource = "http://wiki.test.bestgrid.org";



        SAMLAttributeQuery query = new SAMLAttributeQuery(subject, resource, null);



        System.out.println("\n  Send a SAML Attribute Request  to the IDP AA=" + idpAA + " with content:");



        SAMLBinding binding = SAMLBindingFactory.getInstance(SAMLSOAPBinding.SOAP);



        SAMLResponse samlAttributeResponse = binding.send(idpAA, new SAMLRequest(query));



        System.out.println("\n Get a SAML Attribute Response \n" + samlAttributeResponse);

It is interesting to note that most of IDP(s) in both level 1 and 2 (in the AAF) do not have a very good AA protection, so it is a very high chance that with the above piece of code you can grab all of available attributes from those IDP(s).

Callback interface

With the callback interface, the certificate will be automatically posted back to a predefined URL <postback_url>.  The address of the callback interface is

http://mersey.its.monash.edu.au/ArcherCertProvider/jsp/PostBackTest.jsp

In order to postback, you need to specify the address of the<postback_url> in the "callback" parameter either with http GET or POST.  For example with the GET method:

http://mersey.its.monash.edu.au/ArcherCertProvider/jsp/PostBackTest.jsp?callback=<postback_url>

An example of the <postback_url> is PostBackTest.jsp, this interface will display the content of the Archer generated credential, so you can give it a try by typing the following into a Web browser:

http://mersey.its.monash.edu.au/ArcherCertProvider/jsp/PostBackTest.jsp?callback=PostBackTest.jsp