How AA-RR Says “Hello, SAML” hellosaml.rediris.es/ Jos é Manuel Macías Diego R. Lopez
-
Upload
zachery-dejesus -
Category
Documents
-
view
38 -
download
1
description
Transcript of How AA-RR Says “Hello, SAML” hellosaml.rediris.es/ Jos é Manuel Macías Diego R. Lopez
5th TF-EMC2 Meeeting. Zagreb
How AA-RR Says “Hello, SAML”
http://hellosaml.rediris.es/
José Manuel Macías
Diego R. Lopez
5th TF-EMC2 Meeting. Zagreb
Index
The purpose of HelloSAML Architecture
Made using AA-RR PHP+MySQL interface Four different AA-RR profiles
How it works Registering an account Sending requests Setting up a responder Having a look into the logs
Current HelloSAML figures Future plans
5th TF-EMC2 Meeting. Zagreb
The Purpose of HelloSAML
The origin is a request from Bob Brandt (3M) in the OASIS SAML-developers list
“An open test site on the Internet to which I can test various SAML exchanges”
Interoperability testing of AAI components and user applications using SAML as a mean of exchanging security assertions Able to send and respond queries for authentication, authorization
or attribute exchange to established services for testing purposes Offering log storage of all the operations performed
5th TF-EMC2 Meeting. Zagreb
HelloSAML Architecture
+
AARR
Requesterprofiles
Responderprofile
Responder
Requesters
Userrequester
Userresponder
AARR logs
Requesttemplates
5th TF-EMC2 Meeting. Zagreb
HelloSAML ProfilesResponder Profile
<?xml version="1.0"?><ruleset name="Hello SAML Responder">
<state name="saml_authn_query">
<rule name="saml_authentication_query"><conditions>
<condition name="cond1" receive="SAMLAuthenticationQuery"/></conditions><actions>
<action name="authnwasok" send="SAMLAuthenticationResponse"><field id="AuthenticationMethod" value="urn:oasis:names:tc:SAML:1.0:am:password"/><field id="AuthenticationTimestamp" value="1084805892"/><field id="AuthenticationHost" value="130.206.1.5"/></action><action name="authnwasok" next="gave_hello_saml"/>
</actions></rule><rule name="not_saml_authentication_query">
<conditions><condition name="cond2" default="any"/>
</conditions><actions>
<action name="notattr" next="try_attr"/></actions>
</rule></state>
{...}</ruleset>
5th TF-EMC2 Meeting. Zagreb
HelloSAML ProfilesAuthentication Requester Profile
<?xml version="1.0"?>
<ruleset name="SAML-AuthN-Query-Simple-Ruleset">
<state name="init">
<rule name="AuthNReq">
<actions>
<action name="authnReqSend" send="SAMLAuthenticationQuery" src="conf/sauthntmpl.xml"/>
<!-- send more fields -->
<action name="goOtherState" next="endedOK"/>
</actions>
</rule>
</state>
<state name="endedOK">
<rule name="endok">
<conditions>
<condition name="receiveAuthNResp" receive="SAMLResponse"/>
</conditions>
<actions>
<action name="fp" exit="pass"/>
</actions>
</rule>
</state>
<state name="endedNotOK">
<rule name="failed">
<conditions>
<condition name="didnotReceiveAuthNResp" default="any"/>
</conditions>
<actions>
<action name="failed" exit="fail"/>
</actions>
</rule>
</state>
</ruleset>
<Request xmlns="urn:oasis:names:tc:SAML:1.0:protocol"xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2005-09-07T21:02:50.685Z" MajorVersion="1" MinorVersion="1"RequestID="cf57854ef20e7ae1f19497e7883c3960">
<AuthenticationQuery AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<Subject xmlns="urn:oasis:names:tc:SAML:1.0:assertion"> <NameIdentifier NameQualifier="rediris.es">Hello SAML</NameIdentifier> </Subject> </AuthenticationQuery></Request>
5th TF-EMC2 Meeting. Zagreb
HelloSAML InterfaceCreating an Account
5th TF-EMC2 Meeting. Zagreb
HelloSAML InterfaceResponder Control
5th TF-EMC2 Meeting. Zagreb
HelloSAML InterfaceRequester Configuration
5th TF-EMC2 Meeting. Zagreb
HelloSAML InterfaceAccessing Logs
5th TF-EMC2 Meeting. Zagreb
HelloSAML figures
40 registered users 9 users from educational orgs (Universities, NRENs,...) 8 public research organizations (not educational) 16 private companies 7 Other / no info provided
Distribution of users by procedence
EducationResearch (public)Private companiesOther
5th TF-EMC2 Meeting. Zagreb
Future Plans
Adding support for different versions of SAML Enhance the possibilities for configuring both the
requests and the responder Improve log handling and enriching the information
provided Creating special profiles to make HelloSAML work as
an eduGAIN component validator Please fill-in the gaps with your wishes and ideas: ____________________________________ ____________________________________ ____________________________________ ____________________________________ ____________________________________