SAML PAM SSO Web 1,a) 1 1 1 Shibboleth SAML Web IMAPS Web SAML PAM IMAPS SSO Web Shibboleth Web SSO, Shibboleth, SAML, Web, Web-based mail system with SSO authentication through SAML supporting PAM Makoto Otani 1,a) Hirofumi Eto 1 Yoshitsugu Matsubara 1 Shin-ichi Tadaki 1 Abstract: We, in Saga University, have been constructing a unified foundation of Web-based systems using SAML-based authentication mechanisms with Shibboleth. Web-based interfaces for e-mail accesses, however, have never been unified into the foundation, because the e-mail system has used the IMAPS protocol. For overcoming this problem and improving the usability of e-mail services, we introduced a PAM module compatible with SAML for IMAPS authentication, and we developed a Web-based interface for the e-mail system, which the users can use under Shibboleth authentication. We will report the method for SAML-based authentication and its implementation. Keywords: Single Sign-On Authentication, Shibboleth, SAML, Web Service, Mail 1. Web Web. 1 Computer and Network Center, Saga University a) otani@cc.saga-u.ac.jp Web (SSO) Shibboleth SAML Web SSO (Opengate) e Web Shibboleth SSO. Opengate c 2013 Information Processing Society of Japan 1
Web ( ) [1] Web Shibboleth SSO Web SSO Web Web Shibboleth SAML IdP(Identity Provider) Web Web (SP:ServiceProvider) ( ) IdP Web Web MRA(Mail Retrieval Agent) IMAPS IMAPS Web SSO MRA PAM(Pluggable Authentication Module) SAML IMAPS SSO Web SSO Web 2. Web SMTP-AUTH, POP3S, IMAPS 2000 Web [2], [3], [4] Web Java Servlet 2000 Web Web PHP Web Web MRA IMAPS ブラウザ Web メールシステム (SP) 認証サーバ (IdP) 利用開始 認証要求 ユーザ ID, パスワード 認証成功 メール要求 メール表示 LDAP アサーション ( 暗号 ) 属性等 ( ユーザ ID ) 復号, zlib 圧縮 Fig. 1 1 IdP IMAP 認証ユーザ ID 認証 応答認証成功 LDAP パスワード () メールデータ メールサーバ IMAPS サーバ Authentication flow. SAML 対応 PAMモジュール PAM 認証 応答 認証成功 正当性検証 ユーザID, データ提供 SP IdP 署名, 有効期限 接続サーバ IP Dovecot[5] IMAPS PAM LDAP Web IMAPS IMAPS PHP IMAP IMAPS ID Web SAML SSO IdP IMAPS IMAP SAML PAM IMAPS Web SAML SSO 3. SAML PAM IMAPS IMAPS PAM LDAP PAM SAML Web SSO SAML PAM crudesaml[6] crudesaml SAML (SAML ) PAM cyrus SASL[7] PAM crudesaml IdP SP(Web ) SAML- Response SAML 1 SAML PAM crudesaml PAM crudesaml SAML c 2013 Information Processing Society of Japan 2
IdP (idp) SP(Web ) entityid(trusted sp) ID (userid) IP (only from) SAML IdP SP SAML ID IMAPS ID SAML ( 4 ) IMAPS ID ID SAML ID 4. Web SAML SAML SSO Web (SP) IMAPS ID SAML ID IdP PAM SAML SSO IdP, SP Shibboleth Shibboleth IdP SP SAML Apache Web SAML PAM Shibboleth Apache mod mellon[8] mod mellon Shibboleth PAM (MEL- LON SAML RESPONSE) ID (REMOTE USER) IMAPS SAML SP SP Web IMAPS PAM SAML Web SP IdP SAML mod mellon REMOTE USER (IMAPS ID) ( ) SP SP IdP IdP BASE64 SAML BASE64 SAML IMAPS SAML- Response BASE64 IMAPS BASE64 zlib SAML PAM crudesaml zlib 5. SSO Web 5.1 SAML SSO Web ( 1 ) Web ( 2 ) IdP ( 3 ) IdP ( 2) ID ( ) ( 4 ) IdP SP Web ( ID ) Web ( 5 ) SP ( 6 ) Web ID IMAPS ID ( 7 ) IMAPS ID () PAM SAML SAML c 2013 Information Processing Society of Japan 3
1 IdP Table 1 IdP environment. Web Apache 2.2.14 SAML Shibboleth IdP 2.3.8 apache-tomcat 6.0.36 2 SP Table 2 SP environment. 2 IdP Fig. 2 IdP authentication page. Web Apache 2.2.5 SAML mod mellon 0.6.1 xmlseclibs 1.3.0 () PHP PHP 5.3.3 c-client 2007f(PHP IMAP ) 3 Table 3 Mail server environment. IMAPS IMAP Dovecot 2.1.5 SAML crudesaml 1.4 3 Fig. 3 Web Web mail system. 認証サーバ (IdP: Shibboleth) Web SSO Web IMAPS LDAP SSO SMAL 対応 PAM 認証 メールサーバ IMAPS, SMTP メール専用クライアント SSO 認証 ユーザID ( 属性情報 ) パスワード メール Fig. 4 メール クライアント PC 4 ユーザ ID パスワード アサーション ( 暗号化 ) 有効期限, Web ブラウザメール閲覧 作成 System architecture. 属性情報等 アサーション復号 zlib 圧縮 Web メールシステム (SP: mod_mellon) ( 8 ) ( 9 ) Web ( 3) 4 Web ID IdP () 5.2 1, 2, 3 SSO Web IdP SSO Web Web SP SP Web SAML Shibboleth mod mellon xmlseclibs Web SAML PAM SAML Web Shibboleth SSO Web c 2013 Information Processing Society of Japan 4
6. 6.1 Web SAML IdP Web SP SAML IMAPS SAML PAM SP SAML PAM IMAPS IMAPS PHP(IMAP ) zlib ( ) (Organization) zlib 3.4KB IMAPS Dovecot PHP IMAP (c-client) 1KB(1024 ) 4KB 6.2 SAML IdP(Shibboleth) PAM SAML (crudesaml) IdP PAM SAML crudesaml Shibboleth IdP (Shibboleth IdP) <saml2:conditions NotBefore="2013-06-30T06:23:45.413Z" NotOnOrAfter="2013-06-30T10:23:45.413Z"> SAML SAML SAML SAML SAML 6.3 Web SSO PAM Web PAM SAML Web SSO Web SSH, 6.1 7. Web Shibboleth SAML Web SSO Web Web IMAPS IMAPS ID SSO IMAPS PAM SAML Shibboleth IdP SAML Web Web SSO [1] ( ), https://www.gakunin.jp/ [2] IMAP4 Web WebMailer :,,,, Vol.4, pp.35-43 (2000) [3] Web :,,, 2002-DSM-26, pp.7-12 (2002) [4] LDAP :,,, No.8, ISSN 1343-2915, pp.83-88 (2004) [5] DOVECOT Secure IMAP server, http://www.dovecot.org/ [6] crudesaml, http://ftp.espci.fr/pub/crudesaml/ [7] Project Cyrus, http://cyrusimap.web.cmu.edu/ [8] mod mellon - a SAML 2.0 Apache module https://code.google.com/p/modmellon/ c 2013 Information Processing Society of Japan 5