[Tf-aai] Practical improvement to be made to SAML metadata processing/monitoring for SPF, increasing robustness
Sander Maijers
sander at clarin.eu
Tue Oct 20 14:18:45 CEST 2015
Hi all,
What do you think of automatic fetching of SAML metadata from the SAML
metadata generator endpoint of production SPs (e.g.
https://ekrksso.keeleressursid.ee/simplesaml/module.php/saml/sp/metadata.php/ekrk-sp
or https://clarin.oeaw.ac.at/Shibboleth.sso/Metadata), and automatically
importing each SP's EntityDescriptor into the SAML metadata batch about SPF
SPs in our SVN?
Practical context: there recently was a case where the Estonian SP had not
updated the technical contact in the SVN, so all messages about issues
reached a past employee instead of the current. It took some time for them
to alert me of this. This has again confirmed to me that I should pick up
an earlier idea to make sure that SAML metadata at the SP side and in the
SVN is always consistent.
Advantages:
1. This would improve robustness: SPs must be configured at least as
well as their are in the SVN now as the metadata about their SP as
registered with identity federations will be directly derived from their
own ‘feed’.
2. Some procedures, e.g. key rollover as recently done by UFAL, will be
more automated and again with less chance of errors. Shorter turnaround
time. They would just need to manage the public keys at the SP side.
3. It would encourage SP operators to configure their SP better: to use
the SAML metadata template. It would make it more attractive to SPs to
properly specify the UI texts, logo's etc. as it will no longer require
them to get and use a CLARIN developer account and Subversion.
4. Less risks when compared manually copy-pasting the SAML metadata to
the batch in the SVN: e.g. w.r.t. well-formedness errors.
Of course, though the proposal is straightforward and does not cost a lot
of time to realize, it cannot be implemented for each SP at once. We can
limit this to SPs that meet all of these conditions:
1. Have a working SP status page as recorded in the Centre Registry
(e.g. https://lindat.mff.cuni.cz/secure/shib_test.pl). This makes sure
we can monitor whether an SP is e.g. down for maintenance to control
warnings coming from the automated job tries to fetch its SAML metadata
feed.
2. Have a consistent SAML metadata generator endpoint output, the same
in content as the EntityDescriptor currently recorded in the SVN, for some
definition of ‘the same’. This is a manual, one-time ‘pre-flight’ check. We
would also need to communicate this with SP operators. It would be very
helpful in this regard is the AAI taskforce would put out an easy and
convincing position document describing this change of workflow.
As a sidenote, signing the generated metadata by each SP itself will not be
practical in this alternative workflow (unless your configure the endpoint
to be shielded with some access control rules) as one is theoretically able
to overload/DoS the SP if it has the sign the metadata on the fly at each
HTTP request. But this is not a blocking problem, as:
1. Current EntityDescriptors in the SPF batches (and originally in the
SVN) are not signed themselves, because this does not work well if we sign
the whole batch (PyFF bugs) and prevents us from altering the SAML metadata
in the SVN (sometimes quick fixes are helpful). Anyone who compromises an
SVN account can also compromise the SPF metadata, which means we have
limited protect already. Therefore not at all letting SPs sign the SAML
metadata about it is the way to go, for now.
2. SAML metadata would be fetched over https URLs only, so manipulation
would not be trivial. Additional security can be realized with standard
solutions using DNSSEC and public key pinning
<https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning> if
this is desired.
3. There is no technical reason why Shibboleth SP could not be improved
to do the signing only *once *per mutation of its metadata. They seem to
be aware of the issue. Not sure if this is an issue at all with
SimpleSAMLphp.
I would like to hear back from you if you have any thoughts or objections,
whether we can explicitly decide for or against the change and also
how/when/by whom the document or /spf page describing such a changed
workflow would be writtern.
Best,
Sander
--
*Sent as system administrator and engineer for CLARIN*
*Centre Registry & Service Provider Federation* @ {centres,infra}.clarin.eu;
*software engineering tools* @ {svn,trac}.clarin.eu;
*identity and access management* @ {user,idp}.clarin.eu
*usage statistics and service monitoring* @ stats.clarin.eu
Max Planck Institute for Psycholinguistics <https://tla.mpi.nl/>, software
developer
personal Skype: sander.maijers | work address: Wundtlaan 1, 6525 XD,
Nijmegen (NL)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clarin.eu/cgi-bin/mailman/private/tf-aai/attachments/20151020/30bd8777/attachment.htm>
More information about the Tf-aai
mailing list