SAML, SSO for skilled people
Clément OUDOTRMLL 2013
2
Table of contents● Single Sign On● SAML Protocol
3
Resume
4
Clément OUDOT● Engineer since 2003 at LINAGORA company● LinID Dream Team Manager: http://linid.org ● Founder of LDAP Tool Box project:
http://ltb-project.org ● Leader of LemonLDAP::NG project:
http://lemonldap-ng.org
5
Single Sign On
07/02/13 http://lemonldap-ng.org
6
Definition● Single Sign On authentication allow users to
submit their credentials only once, and to access all trusted applications
● Applications do not manage passwords anymore● Identity of the user is forwarded to applications
by the SSO software
07/02/13 http://lemonldap-ng.org
7
User
Web Application
WebSSO Portal
1
2
3
SSO for the newbies
8
Access control● Single Sign On often provides access control:
when you know WHO, you can decide WHAT he is allowed to do
● Access control is based on authorizations, authorizations are based on user information (mail, role, ...) or environment (IP, date, …)
● Related standards: RBAC, OrBAC, XACML, ...
Identity federation● Having a unique identity can be a problem for private life● Identity federation let a user own several identities and provides
him a way to federate them to obtain Single Sign On● Identity federation is user centric● A Circle of Trust (CoT) is built between Identity Providers (IDP)
and Service Providers (SP)● Identity federation offers more than SSO:
● Single Logout (SLO)● Attributes sharing● Interconnection between Circle of Trust (InterCoT)
Circle of Trust
Service Provider
User interaction
Remote call
Identity Provider Service Provider
Attribute Authority
11
SAML protocol
12
SAML
Security
Assertion
Markup
Language
SAML & Co
SAML 1.0
WS-*
ID-FF 1.2
ID-WSF 1.2
Shibboleth 1
SAML 2.0
ID-WSF 2.0
A standard● SAML is an OASIS standard, described in:
● saml-core-2.0-os: 86 pages● saml-authn-context-2.0-os: 70 pages● saml-bindings-2.0-os: 46 pages● saml-conformance-2.0-os: 19 pages● saml-metadata-2.0-os: 43 pages● saml-profiles-2.0-os: 66 pages
It seems so simple!● A simple SAML exchange:
● A user access to a SP● He is redirect to IdP with a SAML Authn Request● He logs in into IdP● He is redirect to SP with a SAML Authn Response● He is authenticated to SP
SAML Bindings● Define how SAML messages can be exchanged
between providers:● SAML SOAP● Reverse SOAP (PAOS)● HTTP Redirect● HTTP Post● HTTP Artifact● SAML URI
SAML Profiles● Define what operations can be done with SAML:
● SSO Profile:– Web browser SSO– Enhanced Client or Proxy (ECP)– Identity Provider Discovery– Single Logout– Name Identifier Management
● Artifact Resolution Profile● Assertion Query/Request Profile● Name Identifier Mapping Profile● SAML Attributes Profile
SAML Authn contexts● 25 possible authentication contexts. Most used
are:● Kerberos● Password● PasswordProtectedTransport● SSL/TLS Certificate-Based Client Authentication
SAML NameID Formats● 8 different NameID formats:
● Unspecified● Email Address● X.509 Subject Name● Windows Domain Qualified Name● Kerberos Principal Name● Entity Identifier● Persistent Identifier● Transient Identifier
SAML Metadata● Metadata are XML documents defining all information
of a provider:● Provider type (profiles)● URL/SOAP endpoints● Supported bindings● Supported NameID formats● Public keys or certificates
● Metadata are exchanged between providers to create a circle of trust
SAML RPG
I need volunteers!
22
Almost the end...
24
Thanks● Special thanks to:
● RMLL/LSM and their organizers● Company LINAGORA● All LiniD developers
● Keep in touch:● Identica: @coudot● Twitter: @clementoudot @LinID_FOSS ● IRC: KPTN #LinID@freenode● Web: http://linid.org
25
Questions?
Thanks for your attention
http://www.linid.org
Logiciels et services Open Source80 rue Roque de Fillol l 92800 PUTEAUXTel : 0810 251 251 l Fax : +33 1 46 96 63 64www.linagora.com