Enhancing the Harvard Authentication System to Support InCommon Bronze

Harvard University's web authentication system supports multiple authentication protocols — CAS, SAML 2.0 and PIN2. To provide authentication services, we have integrated the Harvard CAS server, our Shibboleth IdP, and our homegrown PIN2 authentication protocol adapter together. The core of this system is our CAS server, and in order to support InCommon Bronze-level assertion, integration of and configuration between the Harvard IdP and CAS server has been updated. 

IdP and CAS Integration

We have configured Harvard's Shibboleth IdP using the ExternalAuthn LoginHandler, which delegates the act of authentication to Harvard’s CAS-based web authentication system. Our IdP is configured as stateless, and user sessions are exclusively maintained in the CAS server. Our external authenticator consists of an invoker and a callback servlet. The IdP's login handler forwards requests to the invoker servlet; then, the invoker servlet prepares the environment to securely send and receive authentication actions to and from the CAS server, and proceeds to redirect the user to the callback servlet. The callback servlet path is protected using a CAS client that triggers CAS authentication. After successful authentication in CAS, the callback servlet receives a CAS assertion. External authentication servlets and the CAS client are configured in the IdP's web.xml file.

Configuring the IdP LoginHandler

To support Bronze, we have configured the IdP's LoginHandler (in handler.xml) as follows:

<ph:LoginHandler xsi:type="ph:ExternalAuthn" externalAuthnPath="/authn/external" supportsForcedAuthentication="true" >

Implementation Details

An SP may request the assurance level associated with PasswordProtectedTransport or an unspecified authnMethod. Harvard's IdP returns the response with the same assurance requested by the SP (by setting the authnMethod servlet request attribute in the callback servlet). The SP may request InCommon Bronze assurance; our IdP returns Bronze assurance if the user meets the Bronze assurance level (see below for details on how this assurance level is determined). If the user does not meet Bronze assurance, then we guide him or her to take the necessary corrective actions to become eligible.

Our IdP always gives Bronze assurance if the SP requests it. If the SP requests any assurance/authentication method other than InCommon Bronze, PasswordProtectedTransport, or unspecified (for example, InCommon Silver), we set the authnMethod servlet request attribute to PasswordProtectedTransport in the callback servlet (note that this gives opensaml::FatalProfileException in a Shibboleth SP).

To compute the assurance level attribute in the CAS server, we consider the user's ID card processing-related attributes in IdMs, as well as the credentials used for authentication. If a user is authenticated using his or her HUID, has physically picked up an ID card (and is therefore ID-proofed), and has changed his or her password at least once in the last three years, then that user is eligible for Bronze assurance. The CAS server releases an assurance level attribute to the IdP’s external authentication callback servlet indicating if a user meets Bronze assurance. We keep the SP’s requested assurance in the IdP’s session (in the invoker servlet), taking requested assurance from the ExternalAuthn authnMethod HTTP request attribute.

If in the callback servlet we find that the SP’s requested assurance is Bronze but the assurance attribute received from CAS assertion is not Bronze, we then redirect the user to an error page and explain what to do next; for example, the user may be given information regarding ID proofing, or be instructed to change his or her password using our self-service application. If the SP’s requested assurance is Bronze and the assurance attribute received from the CAS assertion is also Bronze, we then set the authnMethod servlet request attribute to Bronze, to be used by the IdP for subsequent processing of the authentication request.

If an authentication request is from a Bronze SP, the Harvard CAS server offers the user only one option for login type — HUID. If the user already has an active CAS session before accessing a Bronze SP, but that session was not created using a HUID, then the CAS server asks the user to login again using his or her HUID.

Sample Authentication Request From an SP Requiring Bronze Assurance

<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://test.iam.huit.harvard.edu/atestsp/Shibboleth.sso/SAML2/POST" Destination="https://test.iam.huit.harvard.edu:8016/idp/profile/SAML2/Redirect/SSO" ID="_621b761a851d9f0078e9d566de5e8299" IssueInstant="2014-09-30T16:20:12Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://test.iam.huit.harvard.edu/atestsp</saml:Issuer>
   <samlp:NameIDPolicy AllowCreate="1"/>
      <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://id.incommon.org/assurance/bronze</saml:AuthnContextClassRef>

Corresponding Response From the Harvard IdP

<?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_9b5351852103a97e47cc6c043ef34174"
IssueInstant="2014-09-30T16:45:20.794Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
   <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://test.iam.huit.harvard.edu/idp/shibboleth</saml2:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
         <ds:Reference URI="#_9b5351852103a97e47cc6c043ef34174">
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://test.iam.huit.harvard.edu/idp/shibboleth"
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml2:SubjectConfirmationData Address="" InResponseTo="_13dbea749ecac92b91ea9047767ad00e" NotOnOrAfter="2014-09-30T16:50:20.794Z"
   <saml2:Conditions NotBefore="2014-09-30T16:45:20.794Z" NotOnOrAfter="2014-09-30T16:50:20.794Z">
   <saml2:AuthnStatement AuthnInstant="2014-09-30T16:45:19.487Z" SessionIndex="_fe268f6ca3467681d5abd659de8e2db0">
      <saml2:SubjectLocality Address=""/>
      <saml2:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">xxxxxxxxxxxxxxxx@harvard.edu</saml2:AttributeValue>